/*
* Copyright (c) 2007-2010 Apple Inc. All rights reserved.
*
* @APPLE_OSREFERENCE_LICENSE_HEADER_START@
*
* This file contains Original Code and/or Modifications of Original Code
* as defined in and that are subject to the Apple Public Source License
* Version 2.0 (the 'License'). You may not use this file except in
* compliance with the License. The rights granted to you under the License
* may not be used to create, or enable the creation or redistribution of,
* unlawful or unlicensed copies of an Apple operating system, or to
* circumvent, violate, or enable the circumvention or violation of, any
* terms of an Apple operating system software license agreement.
*
* Please obtain a copy of the License at
* http://www.opensource.apple.com/apsl/ and read it before using this file.
*
* The Original Code and all software distributed under the License are
* distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
* EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
* INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
* FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
* Please see the License for the specific language governing rights and
* limitations under the License.
*
* @APPLE_OSREFERENCE_LICENSE_HEADER_END@
*//*-
* Copyright (c) 1999-2002 Robert N. M. Watson
* Copyright (c) 2001-2005 Networks Associates Technology, Inc.
* Copyright (c) 2005-2007 SPARTA, Inc.
* All rights reserved.
*
* This software was developed by Robert Watson for the TrustedBSD Project.
*
* This software was developed for the FreeBSD Project in part by Network
* Associates Laboratories, the Security Research Division of Network
* Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"),
* as part of the DARPA CHATS research program.
*
* This software was enhanced by SPARTA ISSO under SPAWAR contract
* N66001-04-C-6019 ("SEFOS").
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
* $FreeBSD: src/sys/sys/mac_policy.h,v 1.39 2003/04/18 19:57:37 rwatson Exp $
*//**
@file mac_policy.h
@brief Kernel Interfaces for MAC policy modules
This header defines the list of operations that are defined by the
TrustedBSD MAC Framwork on Darwin. MAC Policy modules register
with the framework to declare interest in a specific set of
operations. If interest in an entry point is not declared, then
the policy will be ignored when the Framework evaluates that entry
point.
*/
#ifndef_SECURITY_MAC_POLICY_H_
#define_SECURITY_MAC_POLICY_H_
#include<security/_label.h>struct attrlist;
struct auditinfo;
struct bpf_d;
struct devnode;
struct fileglob;
struct ifnet;
struct inpcb;
struct ipq;
struct label;
struct lctx;
struct mac_module_data;
struct mac_policy_conf;
struct mbuf;
struct mount;
struct pipe;
struct pseminfo;
struct pshminfo;
struct sbuf;
struct semid_kernel;
struct shmid_kernel;
struct task;
struct thread;
struct ucred;
struct vnode;
/** @struct dummy */
#ifndef_KAUTH_CRED_T
#define_KAUTH_CRED_Ttypedefstruct ucred *kauth_cred_t;
#endif/* !_KAUTH_CRED_T */
#ifndef__IOKIT_PORTS_DEFINED__
#define__IOKIT_PORTS_DEFINED__
#ifdef__cplusplus
class OSObject;
typedef OSObject *io_object_t;
#elsestruct OSObject;
typedefstruct OSObject *io_object_t;
#endif
#endif/* __IOKIT_PORTS_DEFINED__ *//*-
* MAC entry points are generally named using the following template:
*
* mpo_<object>_<operation>()
*
* or:
*
* mpo_<object>_check_<operation>()
*
* Entry points are sorted by object type.
*
* It may be desirable also to consider some subsystems as "objects", such
* as system, iokit, etc.
*//**
@name Entry Points for Label Management
These are the entry points corresponding to the life cycle events for
kernel objects, such as initialization, creation, and destruction.
Most policies (that use labels) will initialize labels by allocating
space for policy-specific data. In most cases, it is permitted to
sleep during label initialization operations; it will be noted when
it is not permitted.
Initialization usually will not require doing more than allocating a
generic label for the given object. What follows initialization is
creation, where a label is made specific to the object it is associated
with. Destruction occurs when the label is no longer needed, such as
when the corresponding object is destroyed. All necessary cleanup should
be performed in label destroy operations.
Where possible, the label entry points have identical parameters. If
the policy module does not require structure-specific label
information, the same function may be registered in the policy
operation vector. Many policies will implement two such generic
allocation calls: one to handle sleepable requests, and one to handle
potentially non-sleepable requests.
*//**
@brief Audit event postselection
@param cred Subject credential
@param syscode Syscall number
@param args Syscall arguments
@param error Syscall errno
@param retval Syscall return value
This is the MAC Framework audit postselect, which is called before
exiting a syscall to determine if an audit event should be committed.
A return value of MAC_AUDIT_NO forces the audit record to be suppressed.
Any other return value results in the audit record being committed.
@warning The suppression behavior will probably go away in Apple's
future version of the audit implementation.
@return Return MAC_AUDIT_NO to force suppression of the audit record.
Any other value results in the audit record being committed.
*/typedefintmpo_audit_check_postselect_t(
kauth_cred_t cred,
unsignedshort syscode,
void *args,
int error,
int retval
);
/**
@brief Audit event preselection
@param cred Subject credential
@param syscode Syscall number
@param args Syscall arguments
This is the MAC Framework audit preselect, which is called before a
syscall is entered to determine if an audit event should be created.
If the MAC policy forces the syscall to be audited, MAC_AUDIT_YES should be
returned. A return value of MAC_AUDIT_NO causes the audit record to
be suppressed. Returning MAC_POLICY_DEFAULT indicates that the policy wants
to defer to the system's existing preselection mechanism.
When policies return different preferences, the Framework decides what action
to take based on the following policy. If any policy returns MAC_AUDIT_YES,
then create an audit record, else if any policy returns MAC_AUDIT_NO, then
suppress the creations of an audit record, else defer to the system's
existing preselection mechanism.
@warning The audit implementation in Apple's current version is
incomplete, so the MAC policies have priority over the system's existing
mechanisms. This will probably change in the future version where
the audit implementation is more complete.
@return Return MAC_AUDIT_YES to force auditing of the syscall,
MAC_AUDIT_NO to force no auditing of the syscall, MAC_AUDIT_DEFAULT
to allow auditing mechanisms to determine if the syscall is audited.
*/typedefintmpo_audit_check_preselect_t(
kauth_cred_t cred,
unsignedshort syscode,
void *args
);
/**
@brief Initialize BPF descriptor label
@param label New label to initialize
Initialize the label for a newly instantiated BPF descriptor.
Sleeping is permitted.
*/typedefvoidmpo_bpfdesc_label_init_t(
struct label *label
);
/**
@brief Destroy BPF descriptor label
@param label The label to be destroyed
Destroy a BPF descriptor label. Since the BPF descriptor
is going out of scope, policy modules should free any internal
storage associated with the label so that it may be destroyed.
*/typedefvoidmpo_bpfdesc_label_destroy_t(
struct label *label
);
/**
@brief Associate a BPF descriptor with a label
@param cred User credential creating the BPF descriptor
@param bpf_d The BPF descriptor
@param bpflabel The new label
Set the label on a newly created BPF descriptor from the passed
subject credential. This call will be made when a BPF device node
is opened by a process with the passed subject credential.
*/typedefvoidmpo_bpfdesc_label_associate_t(
kauth_cred_t cred,
struct bpf_d *bpf_d,
struct label *bpflabel
);
/**
@brief Check whether BPF can read from a network interface
@param bpf_d Subject; the BPF descriptor
@param bpflabel Policy label for bpf_d
@param ifp Object; the network interface
@param ifnetlabel Policy label for ifp
Determine whether the MAC framework should permit datagrams from
the passed network interface to be delivered to the buffers of
the passed BPF descriptor. Return (0) for success, or an errno
value for failure. Suggested failure: EACCES for label mismatches,
EPERM for lack of privilege.
*/typedefintmpo_bpfdesc_check_receive_t(
struct bpf_d *bpf_d,
struct label *bpflabel,
struct ifnet *ifp,
struct label *ifnetlabel
);
/**
@brief Indicate desire to change the process label at exec time
@param old Existing subject credential
@param vp File being executed
@param vnodelabel Label corresponding to vp
@param scriptvnodelabel Script vnode label
@param execlabel Userspace provided execution label
@param proc Object process
@see mac_execve
@see mpo_cred_label_update_execve_t
@see mpo_vnode_check_exec_t
Indicate whether this policy intends to update the label of a newly
created credential from the existing subject credential (old). This
call occurs when a process executes the passed vnode. If a policy
returns success from this entry point, the mpo_cred_label_update_execve
entry point will later be called with the same parameters. Access
has already been checked via the mpo_vnode_check_exec entry point,
this entry point is necessary to preserve kernel locking constraints
during program execution.
The supplied vnode and vnodelabel correspond with the file actually
being executed; in the case that the file is interpreted (for
example, a script), the label of the original exec-time vnode has
been preserved in scriptvnodelabel.
The final label, execlabel, corresponds to a label supplied by a
user space application through the use of the mac_execve system call.
The vnode lock is held during this operation. No changes should be
made to the old credential structure.
@warning Even if a policy returns 0, it should behave correctly in
the presence of an invocation of mpo_cred_label_update_execve, as that
call may happen as a result of another policy requesting a transition.
@return Non-zero if a transition is required, 0 otherwise.
*/typedefintmpo_cred_check_label_update_execve_t(
kauth_cred_t old,
struct vnode *vp,
struct label *vnodelabel,
struct label *scriptvnodelabel,
struct label *execlabel,
struct proc *proc
);
/**
@brief Access control check for relabelling processes
@param cred Subject credential
@param newlabel New label to apply to the user credential
@see mpo_cred_label_update_t
@see mac_set_proc
Determine whether the subject identified by the credential can relabel
itself to the supplied new label (newlabel). This access control check
is called when the mac_set_proc system call is invoked. A user space
application will supply a new value, the value will be internalized
and provided in newlabel.
@return Return 0 if access is granted, otherwise an appropriate value for
errno should be returned.
*/typedefintmpo_cred_check_label_update_t(
kauth_cred_t cred,
struct label *newlabel
);
/**
@brief Access control check for visibility of other subjects
@param u1 Subject credential
@param u2 Object credential
Determine whether the subject identified by the credential u1 can
"see" other subjects with the passed subject credential u2. This call
may be made in a number of situations, including inter-process status
sysctls used by ps, and in procfs lookups.
@return Return 0 if access is granted, otherwise an appropriate value for
errno should be returned. Suggested failure: EACCES for label mismatch,
EPERM for lack of privilege, or ESRCH to hide visibility.
*/typedefintmpo_cred_check_visible_t(
kauth_cred_t u1,
kauth_cred_t u2
);
/**
@brief Associate a credential with a new process at fork
@param cred credential to inherited by new process
@param proc the new process
Allow a process to associate the credential with a new
process for reference countng purposes.
NOTE: the credential can be dis-associated in ways other
than exit - so this strategy is flawed - should just
catch label destroy callback.
*/typedefvoidmpo_cred_label_associate_fork_t(
kauth_cred_t cred,
proc_t proc
);
/**
@brief Create the first process
@param cred Subject credential to be labeled
Create the subject credential of process 0, the parent of all BSD
kernel processes. Policies should update the label in the
previously initialized credential structure.
*/typedefvoidmpo_cred_label_associate_kernel_t(
kauth_cred_t cred
);
/**
@brief Create a credential label
@param parent_cred Parent credential
@param child_cred Child credential
Set the label of a newly created credential, most likely using the
information in the supplied parent credential.
@warning This call is made when crcopy or crdup is invoked on a
newly created struct ucred, and should not be confused with a
process fork or creation event.
*/typedefvoidmpo_cred_label_associate_t(
kauth_cred_t parent_cred,
kauth_cred_t child_cred
);
/**
@brief Create the first process
@param cred Subject credential to be labeled
Create the subject credential of process 1, the parent of all BSD
user processes. Policies should update the label in the previously
initialized credential structure. This is the 'init' process.
*/typedefvoidmpo_cred_label_associate_user_t(
kauth_cred_t cred
);
/**
@brief Destroy credential label
@param label The label to be destroyed
Destroy a user credential label. Since the user credential
is going out of scope, policy modules should free any internal
storage associated with the label so that it may be destroyed.
*/typedefvoidmpo_cred_label_destroy_t(
struct label *label
);
/**
@brief Externalize a user credential label for auditing
@param label Label to be externalized
@param element_name Name of the label namespace for which labels should be
externalized
@param sb String buffer to be filled with a text representation of the label
Produce an external representation of the label on a user credential for
inclusion in an audit record. An externalized label consists of a text
representation of the label contents that will be added to the audit record
as part of a text token. Policy-agnostic user space tools will display
this externalized version.
@return 0 on success, return non-zero if an error occurs while
externalizing the label data.
*/typedefintmpo_cred_label_externalize_audit_t(
struct label *label,
char *element_name,
struct sbuf *sb
);
/**
@brief Externalize a user credential label
@param label Label to be externalized
@param element_name Name of the label namespace for which labels should be
externalized
@param sb String buffer to be filled with a text representation of the label
Produce an external representation of the label on a user
credential. An externalized label consists of a text representation
of the label contents that can be used with user applications.
Policy-agnostic user space tools will display this externalized
version.
@return 0 on success, return non-zero if an error occurs while
externalizing the label data.
*/typedefintmpo_cred_label_externalize_t(
struct label *label,
char *element_name,
struct sbuf *sb
);
/**
@brief Initialize user credential label
@param label New label to initialize
Initialize the label for a newly instantiated user credential.
Sleeping is permitted.
*/typedefvoidmpo_cred_label_init_t(
struct label *label
);
/**
@brief Internalize a user credential label
@param label Label to be internalized
@param element_name Name of the label namespace for which the label should
be internalized
@param element_data Text data to be internalized
Produce a user credential label from an external representation. An
externalized label consists of a text representation of the label
contents that can be used with user applications. Policy-agnostic
user space tools will forward text version to the kernel for
processing by individual policy modules.
The policy's internalize entry points will be called only if the
policy has registered interest in the label namespace.
@return 0 on success, Otherwise, return non-zero if an error occurs
while internalizing the label data.
*/typedefintmpo_cred_label_internalize_t(
struct label *label,
char *element_name,
char *element_data
);
/**
@brief Update credential at exec time
@param old_cred Existing subject credential
@param new_cred New subject credential to be labeled
@param vp File being executed
@param vnodelabel Label corresponding to vp
@param scriptvnodelabel Script vnode label
@param execlabel Userspace provided execution label
@see mac_execve
@see mpo_cred_check_label_update_execve_t
@see mpo_vnode_check_exec_t
Update the label of a newly created credential (new) from the
existing subject credential (old). This call occurs when a process
executes the passed vnode and one of the loaded policy modules has
returned success from the mpo_cred_check_label_update_execve entry point.
Access has already been checked via the mpo_vnode_check_exec entry
point, this entry point is only used to update any policy state.
The supplied vnode and vnodelabel correspond with the file actually
being executed; in the case that the file is interpreted (for
example, a script), the label of the original exec-time vnode has
been preserved in scriptvnodelabel.
The final label, execlabel, corresponds to a label supplied by a
user space application through the use of the mac_execve system call.
If non-NULL, the value pointed to by disjointp will be set to 0 to
indicate that the old and new credentials are not disjoint, or 1 to
indicate that they are.
The vnode lock is held during this operation. No changes should be
made to the old credential structure.
*/typedefvoidmpo_cred_label_update_execve_t(
kauth_cred_t old_cred,
kauth_cred_t new_cred,
struct vnode *vp,
struct label *vnodelabel,
struct label *scriptvnodelabel,
struct label *execlabel,
int *disjointp
);
/**
@brief Update a credential label
@param cred The existing credential
@param newlabel A new label to apply to the credential
@see mpo_cred_check_label_update_t
@see mac_set_proc
Update the label on a user credential, using the supplied new label.
This is called as a result of a process relabel operation. Access
control was already confirmed by mpo_cred_check_label_update.
*/typedefvoidmpo_cred_label_update_t(
kauth_cred_t cred,
struct label *newlabel
);
/**
@brief Create a new devfs device
@param dev Major and minor numbers of special file
@param de "inode" of new device file
@param label Destination label
@param fullpath Path relative to mount (e.g. /dev) of new device file
This entry point labels a new devfs device. The label will likely be based
on the path to the device, or the major and minor numbers.
The policy should store an appropriate label into 'label'.
*/typedefvoidmpo_devfs_label_associate_device_t(
dev_t dev,
struct devnode *de,
struct label *label,
constchar *fullpath
);
/**
@brief Create a new devfs directory
@param dirname Name of new directory
@param dirnamelen Length of 'dirname'
@param de "inode" of new directory
@param label Destination label
@param fullpath Path relative to mount (e.g. /dev) of new directory
This entry point labels a new devfs directory. The label will likely be
based on the path of the new directory. The policy should store an appropriate
label into 'label'. The devfs root directory is labelled in this way.
*/typedefvoidmpo_devfs_label_associate_directory_t(
constchar *dirname,
int dirnamelen,
struct devnode *de,
struct label *label,
constchar *fullpath
);
/**
@brief Copy a devfs label
@param src Source devfs label
@param dest Destination devfs label
Copy the label information from src to dest. The devfs file system
often duplicates (splits) existing device nodes rather than creating
new ones.
*/typedefvoidmpo_devfs_label_copy_t(
struct label *src,
struct label *dest
);
/**
@brief Destroy devfs label
@param label The label to be destroyed
Destroy a devfs entry label. Since the object is going out
of scope, policy modules should free any internal storage associated
with the label so that it may be destroyed.
*/typedefvoidmpo_devfs_label_destroy_t(
struct label *label
);
/**
@brief Initialize devfs label
@param label New label to initialize
Initialize the label for a newly instantiated devfs entry. Sleeping
is permitted.
*/typedefvoidmpo_devfs_label_init_t(
struct label *label
);
/**
@brief Update a devfs label after relabelling its vnode
@param mp Devfs mount point
@param de Affected devfs directory entry
@param delabel Label of devfs directory entry
@param vp Vnode associated with de
@param vnodelabel New label of vnode
Update a devfs label when its vnode is manually relabelled,
for example with setfmac(1). Typically, this will simply copy
the vnode label into the devfs label.
*/typedefvoidmpo_devfs_label_update_t(
struct mount *mp,
struct devnode *de,
struct label *delabel,
struct vnode *vp,
struct label *vnodelabel
);
/**
@brief Access control for changing the offset of a file descriptor
@param cred Subject credential
@param fg Fileglob structure
@param label Policy label for fg
Determine whether the subject identified by the credential can
change the offset of the file represented by fg.
@return Return 0 if access if granted, otherwise an appropriate
value for errno should be returned.
*/typedefintmpo_file_check_change_offset_t(
kauth_cred_t cred,
struct fileglob *fg,
struct label *label
);
/**
@brief Access control for creating a file descriptor
@param cred Subject credential
Determine whether the subject identified by the credential can
allocate a new file descriptor.
@return Return 0 if access if granted, otherwise an appropriate
value for errno should be returned.
*/typedefintmpo_file_check_create_t(
kauth_cred_t cred
);
/**
@brief Access control for duplicating a file descriptor
@param cred Subject credential
@param fg Fileglob structure
@param label Policy label for fg
@param newfd New file descriptor number
Determine whether the subject identified by the credential can
duplicate the fileglob structure represented by fg and as file
descriptor number newfd.
@return Return 0 if access if granted, otherwise an appropriate
value for errno should be returned.
*/typedefintmpo_file_check_dup_t(
kauth_cred_t cred,
struct fileglob *fg,
struct label *label,
int newfd
);
/**
@brief Access control check for fcntl
@param cred Subject credential
@param fg Fileglob structure
@param label Policy label for fg
@param cmd Control operation to be performed; see fcntl(2)
@param arg fcnt arguments; see fcntl(2)
Determine whether the subject identified by the credential can perform
the file control operation indicated by cmd.
@return Return 0 if access is granted, otherwise an appropriate value for
errno should be returned.
*/typedefintmpo_file_check_fcntl_t(
kauth_cred_t cred,
struct fileglob *fg,
struct label *label,
int cmd,
user_long_t arg
);
/**
@brief Access control check for mac_get_fd
@param cred Subject credential
@param fg Fileglob structure
@param elements Element buffer
@param len Length of buffer
Determine whether the subject identified by the credential should be allowed
to get an externalized version of the label on the object indicated by fd.
@return Return 0 if access is granted, otherwise an appropriate value for
errno should be returned.
*/typedefintmpo_file_check_get_t(
kauth_cred_t cred,
struct fileglob *fg,
char *elements,
int len
);
/**
@brief Access control for getting the offset of a file descriptor
@param cred Subject credential
@param fg Fileglob structure
@param label Policy label for fg
Determine whether the subject identified by the credential can
get the offset of the file represented by fg.
@return Return 0 if access if granted, otherwise an appropriate
value for errno should be returned.
*/typedefintmpo_file_check_get_offset_t(
kauth_cred_t cred,
struct fileglob *fg,
struct label *label
);
/**
@brief Access control for inheriting a file descriptor
@param cred Subject credential
@param fg Fileglob structure
@param label Policy label for fg
Determine whether the subject identified by the credential can
inherit the fileglob structure represented by fg.
@return Return 0 if access if granted, otherwise an appropriate
value for errno should be returned.
*/typedefintmpo_file_check_inherit_t(
kauth_cred_t cred,
struct fileglob *fg,
struct label *label
);
/**
@brief Access control check for file ioctl
@param cred Subject credential
@param fg Fileglob structure
@param label Policy label for fg
@param cmd The ioctl command; see ioctl(2)
Determine whether the subject identified by the credential can perform
the ioctl operation indicated by cmd.
@warning Since ioctl data is opaque from the standpoint of the MAC
framework, policies must exercise extreme care when implementing
access control checks.
@return Return 0 if access is granted, otherwise an appropriate value for
errno should be returned.
*/typedefintmpo_file_check_ioctl_t(
kauth_cred_t cred,
struct fileglob *fg,
struct label *label,
unsignedint cmd
);
/**
@brief Access control check for file locking
@param cred Subject credential
@param fg Fileglob structure
@param label Policy label for fg
@param op The lock operation (F_GETLK, F_SETLK, F_UNLK)
@param fl The flock structure
Determine whether the subject identified by the credential can perform
the lock operation indicated by op and fl on the file represented by fg.
@return Return 0 if access is granted, otherwise an appropriate value for
errno should be returned.
*/typedefintmpo_file_check_lock_t(
kauth_cred_t cred,
struct fileglob *fg,
struct label *label,
int op,
struct flock *fl
);
/**
@brief Access control check for mapping a file
@param cred Subject credential
@param fg fileglob representing file to map
@param label Policy label associated with vp
@param prot mmap protections; see mmap(2)
@param flags Type of mapped object; see mmap(2)
@param maxprot Maximum rights
Determine whether the subject identified by the credential should be
allowed to map the file represented by fg with the protections specified
in prot. The maxprot field holds the maximum permissions on the new
mapping, a combination of VM_PROT_READ, VM_PROT_WRITE, and VM_PROT_EXECUTE.
To avoid overriding prior access control checks, a policy should only
remove flags from maxprot.
@return Return 0 if access is granted, otherwise an appropriate value for
errno should be returned. Suggested failure: EACCES for label mismatch or
EPERM for lack of privilege.
*/typedefintmpo_file_check_mmap_t(
kauth_cred_t cred,
struct fileglob *fg,
struct label *label,
int prot,
int flags,
int *maxprot
);
/**
@brief Downgrade the mmap protections
@param cred Subject credential
@param fg file to map
@param label Policy label associated with vp
@param prot mmap protections to be downgraded
Downgrade the mmap protections based on the subject and object labels.
*/typedefvoidmpo_file_check_mmap_downgrade_t(
kauth_cred_t cred,
struct fileglob *fg,
struct label *label,
int *prot
);
/**
@brief Access control for receiving a file descriptor
@param cred Subject credential
@param fg Fileglob structure
@param label Policy label for fg
Determine whether the subject identified by the credential can
receive the fileglob structure represented by fg.
@return Return 0 if access if granted, otherwise an appropriate
value for errno should be returned.
*/typedefintmpo_file_check_receive_t(
kauth_cred_t cred,
struct fileglob *fg,
struct label *label
);
/**
@brief Access control check for mac_set_fd
@param cred Subject credential
@param fg Fileglob structure
@param elements Elements buffer
@param len Length of elements buffer
Determine whether the subject identified by the credential can
perform the mac_set_fd operation. The mac_set_fd operation is used
to associate a MAC label with a file.
@return Return 0 if access is granted, otherwise an appropriate value for
errno should be returned.
*/typedefintmpo_file_check_set_t(
kauth_cred_t cred,
struct fileglob *fg,
char *elements,
int len
);
/**
@brief Create file label
@param cred Subject credential
@param fg Fileglob structure
@param label Policy label for fg
*/typedefvoidmpo_file_label_associate_t(
kauth_cred_t cred,
struct fileglob *fg,
struct label *label
);
/**
@brief Destroy file label
@param label The label to be destroyed
Destroy the label on a file descriptor. In this entry point, a
policy module should free any internal storage associated with
label so that it may be destroyed.
*/typedefvoidmpo_file_label_destroy_t(
struct label *label
);
/**
@brief Initialize file label
@param label New label to initialize
*/typedefvoidmpo_file_label_init_t(
struct label *label
);
/**
@brief Access control check for relabeling network interfaces
@param cred Subject credential
@param ifp network interface being relabeled
@param ifnetlabel Current label of the network interfaces
@param newlabel New label to apply to the network interfaces
@see mpo_ifnet_label_update_t
Determine whether the subject identified by the credential can
relabel the network interface represented by ifp to the supplied
new label (newlabel).
@return Return 0 if access is granted, otherwise an appropriate value for
errno should be returned.
*/typedefintmpo_ifnet_check_label_update_t(
kauth_cred_t cred,
struct ifnet *ifp,
struct label *ifnetlabel,
struct label *newlabel
);
/**
@brief Access control check for relabeling network interfaces
@param ifp Network interface mbuf will be transmitted through
@param ifnetlabel Label of the network interfaces
@param m The mbuf to be transmitted
@param mbuflabel Label of the mbuf to be transmitted
@param family Address Family, AF_*
@param type Type of socket, SOCK_{STREAM,DGRAM,RAW}
Determine whether the mbuf with label mbuflabel may be transmitted
through the network interface represented by ifp that has the
label ifnetlabel.
@return Return 0 if access is granted, otherwise an appropriate value for
errno should be returned.
*/typedefintmpo_ifnet_check_transmit_t(
struct ifnet *ifp,
struct label *ifnetlabel,
struct mbuf *m,
struct label *mbuflabel,
int family,
int type
);
/**
@brief Create a network interface label
@param ifp Network interface labeled
@param ifnetlabel Label for the network interface
Set the label of a newly created network interface, most likely
using the information in the supplied network interface struct.
*/typedefvoidmpo_ifnet_label_associate_t(
struct ifnet *ifp,
struct label *ifnetlabel
);
/**
@brief Copy an ifnet label
@param src Source ifnet label
@param dest Destination ifnet label
Copy the label information from src to dest.
*/typedefvoidmpo_ifnet_label_copy_t(
struct label *src,
struct label *dest
);
/**
@brief Destroy ifnet label
@param label The label to be destroyed
Destroy the label on an ifnet label. In this entry point, a
policy module should free any internal storage associated with
label so that it may be destroyed.
*/typedefvoidmpo_ifnet_label_destroy_t(
struct label *label
);
/**
@brief Externalize an ifnet label
@param label Label to be externalized
@param element_name Name of the label namespace for which labels should be
externalized
@param sb String buffer to be filled with a text representation of the label
Produce an external representation of the label on an interface.
An externalized label consists of a text representation of the
label contents that can be used with user applications.
Policy-agnostic user space tools will display this externalized
version.
@return 0 on success, return non-zero if an error occurs while
externalizing the label data.
*/typedefintmpo_ifnet_label_externalize_t(
struct label *label,
char *element_name,
struct sbuf *sb
);
/**
@brief Initialize ifnet label
@param label New label to initialize
*/typedefvoidmpo_ifnet_label_init_t(
struct label *label
);
/**
@brief Internalize an interface label
@param label Label to be internalized
@param element_name Name of the label namespace for which the label should
be internalized
@param element_data Text data to be internalized
Produce an interface label from an external representation. An
externalized label consists of a text representation of the label
contents that can be used with user applications. Policy-agnostic
user space tools will forward text version to the kernel for
processing by individual policy modules.
The policy's internalize entry points will be called only if the
policy has registered interest in the label namespace.
@return 0 on success, Otherwise, return non-zero if an error occurs
while internalizing the label data.
*/typedefintmpo_ifnet_label_internalize_t(
struct label *label,
char *element_name,
char *element_data
);
/**
@brief Recycle up a network interface label
@param label The label to be recycled
Recycle a network interface label. Darwin caches the struct ifnet
of detached ifnets in a "free pool". Before ifnets are returned
to the "free pool", policies can cleanup or overwrite any information
present in the label.
*/typedefvoidmpo_ifnet_label_recycle_t(
struct label *label
);
/**
@brief Update a network interface label
@param cred Subject credential
@param ifp The network interface to be relabeled
@param ifnetlabel The current label of the network interface
@param newlabel A new label to apply to the network interface
@see mpo_ifnet_check_label_update_t
Update the label on a network interface, using the supplied new label.
*/typedefvoidmpo_ifnet_label_update_t(
kauth_cred_t cred,
struct ifnet *ifp,
struct label *ifnetlabel,
struct label *newlabel
);
/**
@brief Access control check for delivering a packet to a socket
@param inp inpcb the socket is associated with
@param inplabel Label of the inpcb
@param m The mbuf being received
@param mbuflabel Label of the mbuf being received
@param family Address family, AF_*
@param type Type of socket, SOCK_{STREAM,DGRAM,RAW}
Determine whether the mbuf with label mbuflabel may be received
by the socket associated with inpcb that has the label inplabel.
@return Return 0 if access is granted, otherwise an appropriate value for
errno should be returned.
*/typedefintmpo_inpcb_check_deliver_t(
struct inpcb *inp,
struct label *inplabel,
struct mbuf *m,
struct label *mbuflabel,
int family,
int type
);
/**
@brief Create an inpcb label
@param so Socket containing the inpcb to be labeled
@param solabel Label of the socket
@param inp inpcb to be labeled
@param inplabel Label for the inpcb
Set the label of a newly created inpcb, most likely
using the information in the socket and/or socket label.
*/typedefvoidmpo_inpcb_label_associate_t(
struct socket *so,
struct label *solabel,
struct inpcb *inp,
struct label *inplabel
);
/**
@brief Destroy inpcb label
@param label The label to be destroyed
Destroy the label on an inpcb label. In this entry point, a
policy module should free any internal storage associated with
label so that it may be destroyed.
*/typedefvoidmpo_inpcb_label_destroy_t(
struct label *label
);
/**
@brief Initialize inpcb label
@param label New label to initialize
@param flag M_WAITOK or M_NOWAIT
*/typedefintmpo_inpcb_label_init_t(
struct label *label,
int flag
);
/**
@brief Recycle up an inpcb label
@param label The label to be recycled
Recycle an inpcb label. Darwin allocates the inpcb as part of
the socket structure in some cases. For this case we must recycle
rather than destroy the inpcb as it will be reused later.
*/typedefvoidmpo_inpcb_label_recycle_t(
struct label *label
);
/**
@brief Update an inpcb label from a socket label
@param so Socket containing the inpcb to be relabeled
@param solabel New label of the socket
@param inp inpcb to be labeled
@param inplabel Label for the inpcb
Set the label of a newly created inpcb due to a change in the
underlying socket label.
*/typedefvoidmpo_inpcb_label_update_t(
struct socket *so,
struct label *solabel,
struct inpcb *inp,
struct label *inplabel
);
/**
@brief Device hardware access control
@param devtype Type of device connected
@param properties XML-formatted property list
@param proplen Length of the property list
This is the MAC Framework device access control, which is called by the I/O
Kit when a new device is connected to the system to determine whether that
device should be trusted. A list of properties associated with the device
is passed as an XML-formatted string. The routine should examine these
properties to determine the trustworthiness of the device. A return value
of EPERM forces the device to be claimed by a special device driver that
will prevent its operation.
@warning This is an experimental interface and may change in the future.
@return Return EPERM to indicate that the device is untrusted and should
not be allowed to operate. Return zero to indicate that the device is
trusted and should be allowed to operate normally.
*/typedefintmpo_iokit_check_device_t(
char *devtype,
struct mac_module_data *mdata
);
/**
@brief Access control check for opening an I/O Kit device
@param cred Subject credential
@param device_path Device path
@param user_client User client instance
@param user_client_type User client type
Determine whether the subject identified by the credential can open an
I/O Kit device at the passed path of the passed user client class and
type.
@return Return 0 if access is granted, or an appropriate value for
errno should be returned.
*/typedefintmpo_iokit_check_open_t(
kauth_cred_t cred,
io_object_t user_client,
unsignedint user_client_type
);
/**
@brief Access control check for setting I/O Kit device properties
@param cred Subject credential
@param registry_entry Target device
@param properties Property list
Determine whether the subject identified by the credential can set
properties on an I/O Kit device.
@return Return 0 if access is granted, or an appropriate value for
errno should be returned.
*/typedefintmpo_iokit_check_set_properties_t(
kauth_cred_t cred,
io_object_t entry,
io_object_t properties
);
/**
@brief Access control check for software HID control
@param cred Subject credential
Determine whether the subject identified by the credential can
control the HID (Human Interface Device) subsystem, such as to
post synthetic keypresses, pointer movement and clicks.
@return Return 0 if access is granted, or an appropriate value for
errno.
*/typedefintmpo_iokit_check_hid_control_t(
kauth_cred_t cred
);
/**
@brief Create an IP reassembly queue label
@param fragment First received IP fragment
@param fragmentlabel Policy label for fragment
@param ipq IP reassembly queue to be labeled
@param ipqlabel Policy label to be filled in for ipq
Set the label on a newly created IP reassembly queue from
the mbuf header of the first received fragment.
*/typedefvoidmpo_ipq_label_associate_t(
struct mbuf *fragment,
struct label *fragmentlabel,
struct ipq *ipq,
struct label *ipqlabel
);
/**
@brief Compare an mbuf header label to an ipq label
@param fragment IP datagram fragment
@param fragmentlabel Policy label for fragment
@param ipq IP fragment reassembly queue
@param ipqlabel Policy label for ipq
Compare the label of the mbuf header containing an IP datagram
(fragment) fragment with the label of the passed IP fragment
reassembly queue (ipq). Return (1) for a successful match, or (0)
for no match. This call is made when the IP stack attempts to
find an existing fragment reassembly queue for a newly received
fragment; if this fails, a new fragment reassembly queue may be
instantiated for the fragment. Policies may use this entry point
to prevent the reassembly of otherwise matching IP fragments if
policy does not permit them to be reassembled based on the label
or other information.
*/typedefintmpo_ipq_label_compare_t(
struct mbuf *fragment,
struct label *fragmentlabel,
struct ipq *ipq,
struct label *ipqlabel
);
/**
@brief Destroy IP reassembly queue label
@param label The label to be destroyed
Destroy the label on an IP fragment queue. In this entry point, a
policy module should free any internal storage associated with
label so that it may be destroyed.
*/typedefvoidmpo_ipq_label_destroy_t(
struct label *label
);
/**
@brief Initialize IP reassembly queue label
@param label New label to initialize
@param flag M_WAITOK or M_NOWAIT
Initialize the label on a newly instantiated IP fragment reassembly
queue. The flag field may be one of M_WAITOK and M_NOWAIT, and
should be employed to avoid performing a sleeping malloc(9) during
this initialization call. IP fragment reassembly queue allocation
frequently occurs in performance sensitive environments, and the
implementation should be careful to avoid sleeping or long-lived
operations. This entry point is permitted to fail resulting in
the failure to allocate the IP fragment reassembly queue.
*/typedefintmpo_ipq_label_init_t(
struct label *label,
int flag
);
/**
@brief Update the label on an IP fragment reassembly queue
@param fragment IP fragment
@param fragmentlabel Policy label for fragment
@param ipq IP fragment reassembly queue
@param ipqlabel Policy label to be updated for ipq
Update the label on an IP fragment reassembly queue (ipq) based
on the acceptance of the passed IP fragment mbuf header (fragment).
*/typedefvoidmpo_ipq_label_update_t(
struct mbuf *fragment,
struct label *fragmentlabel,
struct ipq *ipq,
struct label *ipqlabel
);
/**
@brief Access control check for relabelling Login Context
@param l Subject credential
@param newlabel New label to apply to the Login Context
@see mpo_lctx_label_update_t
@see mac_set_lcid
@see mac_set_lctx
Determine whether the subject identified by the credential can relabel
itself to the supplied new label (newlabel). This access control check
is called when the mac_set_lctx/lcid system call is invoked. A user space
application will supply a new value, the value will be internalized
and provided in newlabel.
@return Return 0 if access is granted, otherwise an appropriate value for
errno should be returned.
*/typedefintmpo_lctx_check_label_update_t(
struct lctx *l,
struct label *newlabel
);
/**
@brief Destroy Login Context label
@param label The label to be destroyed
*/typedefvoidmpo_lctx_label_destroy_t(
struct label *label
);
/**
@brief Externalize a Login Context label
@param label Label to be externalized
@param element_name Name of the label namespace for which labels should be
externalized
@param sb String buffer to be filled with a text representation of the label
Produce an external representation of the label on a Login Context.
An externalized label consists of a text representation
of the label contents that can be used with user applications.
Policy-agnostic user space tools will display this externalized
version.
@return 0 on success, return non-zero if an error occurs while
externalizing the label data.
*/typedefintmpo_lctx_label_externalize_t(
struct label *label,
char *element_name,
struct sbuf *sb
);
/**
@brief Initialize Login Context label
@param label New label to initialize
*/typedefvoidmpo_lctx_label_init_t(
struct label *label
);
/**
@brief Internalize a Login Context label
@param label Label to be internalized
@param element_name Name of the label namespace for which the label should
be internalized
@param element_data Text data to be internalized
Produce a Login Context label from an external representation. An
externalized label consists of a text representation of the label
contents that can be used with user applications. Policy-agnostic
user space tools will forward text version to the kernel for
processing by individual policy modules.
The policy's internalize entry points will be called only if the
policy has registered interest in the label namespace.
@return 0 on success, Otherwise, return non-zero if an error occurs
while internalizing the label data.
*/typedefintmpo_lctx_label_internalize_t(
struct label *label,
char *element_name,
char *element_data
);
/**
@brief Update a Login Context label
@param l
@param newlabel A new label to apply to the Login Context
@see mpo_lctx_check_label_update_t
@see mac_set_lcid
@see mac_set_lctx
Update the label on a login context, using the supplied new label.
This is called as a result of a login context relabel operation. Access
control was already confirmed by mpo_lctx_check_label_update.
*/typedefvoidmpo_lctx_label_update_t(
struct lctx *l,
struct label *newlabel
);
/**
@brief A process has created a login context
@param p Subject
@param l Login Context
When a process creates a login context (via setlcid()) this entrypoint
is called to notify the policy that the process 'p' has created login
context 'l'.
*/typedefvoidmpo_lctx_notify_create_t(
struct proc *p,
struct lctx *l
);
/**
@brief A process has joined a login context
@param p Subject
@param l Login Context
When a process joins a login context, either via setlcid() or via
fork() this entrypoint is called to notify the policy that process
'p' is now a member of login context 'l'.
*/typedefvoidmpo_lctx_notify_join_t(
struct proc *p,
struct lctx *l
);
/**
@brief A process has left a login context
@param p Subject
@param l Login Context
When a process leaves a login context either via setlcid() or as a
result of the process exiting this entrypoint is called to notify
the policy that the process 'p' is no longer a member of login context 'l'.
*/typedefvoidmpo_lctx_notify_leave_t(
struct proc *p,
struct lctx *l
);
/**
@brief Assign a label to a new mbuf
@param bpf_d BPF descriptor
@param b_label Policy label for bpf_d
@param m Object; mbuf
@param m_label Policy label to fill in for m
Set the label on the mbuf header of a newly created datagram
generated using the passed BPF descriptor. This call is made when
a write is performed to the BPF device associated with the passed
BPF descriptor.
*/typedefvoidmpo_mbuf_label_associate_bpfdesc_t(
struct bpf_d *bpf_d,
struct label *b_label,
struct mbuf *m,
struct label *m_label
);
/**
@brief Assign a label to a new mbuf
@param ifp Interface descriptor
@param i_label Existing label of ifp
@param m Object; mbuf
@param m_label Policy label to fill in for m
Label an mbuf based on the interface from which it was received.
*/typedefvoidmpo_mbuf_label_associate_ifnet_t(
struct ifnet *ifp,
struct label *i_label,
struct mbuf *m,
struct label *m_label
);
/**
@brief Assign a label to a new mbuf
@param inp inpcb structure
@param i_label Existing label of inp
@param m Object; mbuf
@param m_label Policy label to fill in for m
Label an mbuf based on the inpcb from which it was derived.
*/typedefvoidmpo_mbuf_label_associate_inpcb_t(
struct inpcb *inp,
struct label *i_label,
struct mbuf *m,
struct label *m_label
);
/**
@brief Set the label on a newly reassembled IP datagram
@param ipq IP fragment reassembly queue
@param ipqlabel Policy label for ipq
@param mbuf IP datagram to be labeled
@param mbuflabel Policy label to be filled in for mbuf
Set the label on a newly reassembled IP datagram (mbuf) from the IP
fragment reassembly queue (ipq) from which it was generated.
*/typedefvoidmpo_mbuf_label_associate_ipq_t(
struct ipq *ipq,
struct label *ipqlabel,
struct mbuf *mbuf,
struct label *mbuflabel
);
/**
@brief Assign a label to a new mbuf
@param ifp Subject; network interface
@param i_label Existing label of ifp
@param m Object; mbuf
@param m_label Policy label to fill in for m
Set the label on the mbuf header of a newly created datagram
generated for the purposes of a link layer response for the passed
interface. This call may be made in a number of situations, including
for ARP or ND6 responses in the IPv4 and IPv6 stacks.
*/typedefvoidmpo_mbuf_label_associate_linklayer_t(
struct ifnet *ifp,
struct label *i_label,
struct mbuf *m,
struct label *m_label
);
/**
@brief Assign a label to a new mbuf
@param oldmbuf mbuf headerder for existing datagram for existing datagram
@param oldmbuflabel Policy label for oldmbuf
@param ifp Network interface
@param ifplabel Policy label for ifp
@param newmbuf mbuf header to be labeled for new datagram
@param newmbuflabel Policy label for newmbuf
Set the label on the mbuf header of a newly created datagram
generated from the existing passed datagram when it is processed
by the passed multicast encapsulation interface. This call is made
when an mbuf is to be delivered using the virtual interface.
*/typedefvoidmpo_mbuf_label_associate_multicast_encap_t(
struct mbuf *oldmbuf,
struct label *oldmbuflabel,
struct ifnet *ifp,
struct label *ifplabel,
struct mbuf *newmbuf,
struct label *newmbuflabel
);
/**
@brief Assign a label to a new mbuf
@param oldmbuf Received datagram
@param oldmbuflabel Policy label for oldmbuf
@param newmbuf Newly created datagram
@param newmbuflabel Policy label for newmbuf
Set the label on the mbuf header of a newly created datagram generated
by the IP stack in response to an existing received datagram (oldmbuf).
This call may be made in a number of situations, including when responding
to ICMP request datagrams.
*/typedefvoidmpo_mbuf_label_associate_netlayer_t(
struct mbuf *oldmbuf,
struct label *oldmbuflabel,
struct mbuf *newmbuf,
struct label *newmbuflabel
);
/**
@brief Assign a label to a new mbuf
@param so Socket to label
@param so_label Policy label for socket
@param m Object; mbuf
@param m_label Policy label to fill in for m
An mbuf structure is used to store network traffic in transit.
When an application sends data to a socket or a pipe, it is wrapped
in an mbuf first. This function sets the label on a newly created mbuf header
based on the socket sending the data. The contents of the label should be
suitable for performing an access check on the receiving side of the
communication.
Only labeled MBUFs will be presented to the policy via this entrypoint.
*/typedefvoidmpo_mbuf_label_associate_socket_t(
socket_t so,
struct label *so_label,
struct mbuf *m,
struct label *m_label
);
/**
@brief Copy a mbuf label
@param src Source label
@param dest Destination label
Copy the mbuf label information in src into dest.
Only called when both source and destination mbufs have labels.
*/typedefvoidmpo_mbuf_label_copy_t(
struct label *src,
struct label *dest
);
/**
@brief Destroy mbuf label
@param label The label to be destroyed
Destroy a mbuf label. Since the
object is going out of scope, policy modules should free any
internal storage associated with the label so that it may be
destroyed.
*/typedefvoidmpo_mbuf_label_destroy_t(
struct label *label
);
/**
@brief Initialize mbuf label
@param label New label to initialize
@param flag Malloc flags
Initialize the label for a newly instantiated mbuf.
@warning Since it is possible for the flags to be set to
M_NOWAIT, the malloc operation may fail.
@return On success, 0, otherwise, an appropriate errno return value.
*/typedefintmpo_mbuf_label_init_t(
struct label *label,
int flag
);
/**
@brief Access control check for fsctl
@param cred Subject credential
@param mp The mount point
@param label Label associated with the mount point
@param com Filesystem-dependent request code; see fsctl(2)
Determine whether the subject identified by the credential can perform
the volume operation indicated by com.
@warning The fsctl() system call is directly analogous to ioctl(); since
the associated data is opaque from the standpoint of the MAC framework
and since these operations can affect many aspects of system operation,
policies must exercise extreme care when implementing access control checks.
@return Return 0 if access is granted, otherwise an appropriate value for
errno should be returned.
*/typedefintmpo_mount_check_fsctl_t(
kauth_cred_t cred,
struct mount *mp,
struct label *label,
unsignedint cmd
);
/**
@brief Access control check for the retrieval of file system attributes
@param cred Subject credential
@param mp The mount structure of the file system
@param vfa The attributes requested
This entry point determines whether given subject can get information
about the given file system. This check happens during statfs() syscalls,
but is also used by other parts within the kernel such as the audit system.
@return Return 0 if access is granted, otherwise an appropriate value for
errno should be returned.
*/typedefintmpo_mount_check_getattr_t(
kauth_cred_t cred,
struct mount *mp,
struct label *mp_label,
struct vfs_attr *vfa
);
/**
@brief Access control check for mount point relabeling
@param cred Subject credential
@param mp Object file system mount point
@param mntlabel Policy label for fle system mount point
Determine whether the subject identified by the credential can relabel
the mount point. This call is made when a file system mount is updated.
@return Return 0 if access is granted, otherwise an appropriate value for
errno should be returned. Suggested failure: EACCES for label mismatch
or EPERM for lack of privilege.
*/typedefintmpo_mount_check_label_update_t(
kauth_cred_t cred,
struct mount *mp,
struct label *mntlabel
);
/**
@brief Access control check for mounting a file system
@param cred Subject credential
@param vp Vnode that is to be the mount point
@param vlabel Label associated with the vnode
@param cnp Component name for vp
@param vfc_name Filesystem type name
Determine whether the subject identified by the credential can perform
the mount operation on the target vnode.
@return Return 0 if access is granted, otherwise an appropriate value for
errno should be returned.
*/typedefintmpo_mount_check_mount_t(
kauth_cred_t cred,
struct vnode *vp,
struct label *vlabel,
struct componentname *cnp,
constchar *vfc_name
);
/**
@brief Access control check remounting a filesystem
@param cred Subject credential
@param mp The mount point
@param mlabel Label currently associated with the mount point
Determine whether the subject identified by the credential can perform
the remount operation on the target vnode.
@return Return 0 if access is granted, otherwise an appropriate value for
errno should be returned.
*/typedefintmpo_mount_check_remount_t(
kauth_cred_t cred,
struct mount *mp,
struct label *mlabel
);
/**
@brief Access control check for the settting of file system attributes
@param cred Subject credential
@param mp The mount structure of the file system
@param vfa The attributes requested
This entry point determines whether given subject can set information
about the given file system, for example the volume name.
@return Return 0 if access is granted, otherwise an appropriate value for
errno should be returned.
*/typedefintmpo_mount_check_setattr_t(
kauth_cred_t cred,
struct mount *mp,
struct label *mp_label,
struct vfs_attr *vfa
);
/**
@brief Access control check for file system statistics
@param cred Subject credential
@param mp Object file system mount
@param mntlabel Policy label for mp
Determine whether the subject identified by the credential can see
the results of a statfs performed on the file system. This call may
be made in a number of situations, including during invocations of
statfs(2) and related calls, as well as to determine what file systems
to exclude from listings of file systems, such as when getfsstat(2)
is invoked.
@return Return 0 if access is granted, otherwise an appropriate value for
errno should be returned. Suggested failure: EACCES for label mismatch
or EPERM for lack of privilege.
*/typedefintmpo_mount_check_stat_t(
kauth_cred_t cred,
struct mount *mp,
struct label *mntlabel
);
/**
@brief Access control check for unmounting a filesystem
@param cred Subject credential
@param mp The mount point
@param mlabel Label associated with the mount point
Determine whether the subject identified by the credential can perform
the unmount operation on the target vnode.
@return Return 0 if access is granted, otherwise an appropriate value for
errno should be returned.
*/typedefintmpo_mount_check_umount_t(
kauth_cred_t cred,
struct mount *mp,
struct label *mlabel
);
/**
@brief Create mount labels
@param cred Subject credential
@param mp Mount point of file system being mounted
@param mntlabel Label to associate with the new mount point
@see mpo_mount_label_init_t
Fill out the labels on the mount point being created by the supplied
user credential. This call is made when file systems are first mounted.
*/typedefvoidmpo_mount_label_associate_t(
kauth_cred_t cred,
struct mount *mp,
struct label *mntlabel
);
/**
@brief Destroy mount label
@param label The label to be destroyed
Destroy a file system mount label. Since the
object is going out of scope, policy modules should free any
internal storage associated with the label so that it may be
destroyed.
*/typedefvoidmpo_mount_label_destroy_t(
struct label *label
);
/**
@brief Externalize a mount point label
@param label Label to be externalized
@param element_name Name of the label namespace for which labels should be
externalized
@param sb String buffer to be filled with a text representation of the label
Produce an external representation of the mount point label. An
externalized label consists of a text representation of the label
contents that can be used with user applications. Policy-agnostic
user space tools will display this externalized version.
The policy's externalize entry points will be called only if the
policy has registered interest in the label namespace.
@return 0 on success, return non-zero if an error occurs while
externalizing the label data.
*/typedefintmpo_mount_label_externalize_t(
struct label *label,
char *element_name,
struct sbuf *sb
);
/**
@brief Initialize mount point label
@param label New label to initialize
Initialize the label for a newly instantiated mount structure.
This label is typically used to store a default label in the case
that the file system has been mounted singlelabel. Since some
file systems do not support persistent labels (extended attributes)
or are read-only (such as CD-ROMs), it is often necessary to store
a default label separately from the label of the mount point
itself. Sleeping is permitted.
*/typedefvoidmpo_mount_label_init_t(
struct label *label
);
/**
@brief Internalize a mount point label
@param label Label to be internalized
@param element_name Name of the label namespace for which the label should
be internalized
@param element_data Text data to be internalized
Produce a mount point file system label from an external representation.
An externalized label consists of a text representation of the label
contents that can be used with user applications. Policy-agnostic
user space tools will forward text version to the kernel for
processing by individual policy modules.
The policy's internalize entry points will be called only if the
policy has registered interest in the label namespace.
@return 0 on success, Otherwise, return non-zero if an error occurs
while internalizing the label data.
*/typedefintmpo_mount_label_internalize_t(
struct label *label,
char *element_name,
char *element_data
);
/**
@brief Set the label on an IPv4 datagram fragment
@param datagram Datagram being fragmented
@param datagramlabel Policy label for datagram
@param fragment New fragment
@param fragmentlabel Policy label for fragment
Called when an IPv4 datagram is fragmented into several smaller datagrams.
Policies implementing mbuf labels will typically copy the label from the
source datagram to the new fragment.
*/typedefvoidmpo_netinet_fragment_t(
struct mbuf *datagram,
struct label *datagramlabel,
struct mbuf *fragment,
struct label *fragmentlabel
);
/**
@brief Set the label on an ICMP reply
@param m mbuf containing the ICMP reply
@param mlabel Policy label for m
A policy may wish to update the label of an mbuf that refers to
an ICMP packet being sent in response to an IP packet. This may
be called in response to a bad packet or an ICMP request.
*/typedefvoidmpo_netinet_icmp_reply_t(
struct mbuf *m,
struct label *mlabel
);
/**
@brief Set the label on a TCP reply
@param m mbuf containing the TCP reply
@param mlabel Policy label for m
Called for outgoing TCP packets not associated with an actual socket.
*/typedefvoidmpo_netinet_tcp_reply_t(
struct mbuf *m,
struct label *mlabel
);
/**
@brief Access control check for pipe ioctl
@param cred Subject credential
@param cpipe Object to be accessed
@param pipelabel The label on the pipe
@param cmd The ioctl command; see ioctl(2)
Determine whether the subject identified by the credential can perform
the ioctl operation indicated by cmd.
@warning Since ioctl data is opaque from the standpoint of the MAC
framework, policies must exercise extreme care when implementing
access control checks.
@return Return 0 if access is granted, otherwise an appropriate value for
errno should be returned.
*/typedefintmpo_pipe_check_ioctl_t(
kauth_cred_t cred,
struct pipe *cpipe,
struct label *pipelabel,
unsignedint cmd
);
/**
@brief Access control check for pipe kqfilter
@param cred Subject credential
@param kn Object knote
@param cpipe Object to be accessed
@param pipelabel Policy label for the pipe
Determine whether the subject identified by the credential can
receive the knote on the passed pipe.
@return Return 0 if access if granted, otherwise an appropriate
value for errno should be returned.
*/typedefintmpo_pipe_check_kqfilter_t(
kauth_cred_t cred,
struct knote *kn,
struct pipe *cpipe,
struct label *pipelabel
);
/**
@brief Access control check for pipe relabel
@param cred Subject credential
@param cpipe Object to be accessed
@param pipelabel The current label on the pipe
@param newlabel The new label to be used
Determine whether the subject identified by the credential can
perform a relabel operation on the passed pipe. The cred object holds
the credentials of the subject performing the operation.
@return Return 0 if access is granted, otherwise an appropriate value for
errno should be returned.
*/typedefintmpo_pipe_check_label_update_t(
kauth_cred_t cred,
struct pipe *cpipe,
struct label *pipelabel,
struct label *newlabel
);
/**
@brief Access control check for pipe read
@param cred Subject credential
@param cpipe Object to be accessed
@param pipelabel The label on the pipe
Determine whether the subject identified by the credential can
perform a read operation on the passed pipe. The cred object holds
the credentials of the subject performing the operation.
@return Return 0 if access is granted, otherwise an appropriate value for
errno should be returned.
*/typedefintmpo_pipe_check_read_t(
kauth_cred_t cred,
struct pipe *cpipe,
struct label *pipelabel
);
/**
@brief Access control check for pipe select
@param cred Subject credential
@param cpipe Object to be accessed
@param pipelabel The label on the pipe
@param which The operation selected on: FREAD or FWRITE
Determine whether the subject identified by the credential can
perform a select operation on the passed pipe. The cred object holds
the credentials of the subject performing the operation.
@return Return 0 if access is granted, otherwise an appropriate value for
errno should be returned.
*/typedefintmpo_pipe_check_select_t(
kauth_cred_t cred,
struct pipe *cpipe,
struct label *pipelabel,
int which
);
/**
@brief Access control check for pipe stat
@param cred Subject credential
@param cpipe Object to be accessed
@param pipelabel The label on the pipe
Determine whether the subject identified by the credential can
perform a stat operation on the passed pipe. The cred object holds
the credentials of the subject performing the operation.
@return Return 0 if access is granted, otherwise an appropriate value for
errno should be returned.
*/typedefintmpo_pipe_check_stat_t(
kauth_cred_t cred,
struct pipe *cpipe,
struct label *pipelabel
);
/**
@brief Access control check for pipe write
@param cred Subject credential
@param cpipe Object to be accessed
@param pipelabel The label on the pipe
Determine whether the subject identified by the credential can
perform a write operation on the passed pipe. The cred object holds
the credentials of the subject performing the operation.
@return Return 0 if access is granted, otherwise an appropriate value for
errno should be returned.
*/typedefintmpo_pipe_check_write_t(
kauth_cred_t cred,
struct pipe *cpipe,
struct label *pipelabel
);
/**
@brief Create a pipe label
@param cred Subject credential
@param cpipe object to be labeled
@param label Label for the pipe object
Create a label for the pipe object being created by the supplied
user credential. This call is made when the pipe is being created
XXXPIPE(for one or both sides of the pipe?).
*/typedefvoidmpo_pipe_label_associate_t(
kauth_cred_t cred,
struct pipe *cpipe,
struct label *pipelabel
);
/**
@brief Copy a pipe label
@param src Source pipe label
@param dest Destination pipe label
Copy the pipe label associated with src to dest.
XXXPIPE Describe when this is used: most likely during pipe creation to
copy from rpipe to wpipe.
*/typedefvoidmpo_pipe_label_copy_t(
struct label *src,
struct label *dest
);
/**
@brief Destroy pipe label
@param label The label to be destroyed
Destroy a pipe label. Since the object is going out of scope,
policy modules should free any internal storage associated with the
label so that it may be destroyed.
*/typedefvoidmpo_pipe_label_destroy_t(
struct label *label
);
/**
@brief Externalize a pipe label
@param label Label to be externalized
@param element_name Name of the label namespace for which labels should be
externalized
@param sb String buffer to be filled with a text representation of the label
Produce an external representation of the label on a pipe.
An externalized label consists of a text representation
of the label contents that can be used with user applications.
Policy-agnostic user space tools will display this externalized
version.
The policy's externalize entry points will be called only if the
policy has registered interest in the label namespace.
@return 0 on success, return non-zero if an error occurs while
externalizing the label data.
*/typedefintmpo_pipe_label_externalize_t(
struct label *label,
char *element_name,
struct sbuf *sb
);
/**
@brief Initialize pipe label
@param label New label to initialize
Initialize label storage for use with a newly instantiated pipe object.
Sleeping is permitted.
*/typedefvoidmpo_pipe_label_init_t(
struct label *label
);
/**
@brief Internalize a pipe label
@param label Label to be internalized
@param element_name Name of the label namespace for which the label should
be internalized
@param element_data Text data to be internalized
Produce a pipe label from an external representation. An
externalized label consists of a text representation of the label
contents that can be used with user applications. Policy-agnostic
user space tools will forward text version to the kernel for
processing by individual policy modules.
The policy's internalize entry points will be called only if the
policy has registered interest in the label namespace.
@return 0 on success, Otherwise, return non-zero if an error occurs
while internalizing the label data.
*/typedefintmpo_pipe_label_internalize_t(
struct label *label,
char *element_name,
char *element_data
);
/**
@brief Update a pipe label
@param cred Subject credential
@param cpipe Object to be labeled
@param oldlabel Existing pipe label
@param newlabel New label to replace existing label
@see mpo_pipe_check_label_update_t
The subject identified by the credential has previously requested
and was authorized to relabel the pipe; this entry point allows
policies to perform the actual relabel operation. Policies should
update oldlabel using the label stored in the newlabel parameter.
*/typedefvoidmpo_pipe_label_update_t(
kauth_cred_t cred,
struct pipe *cpipe,
struct label *oldlabel,
struct label *newlabel
);
/**
@brief Policy unload event
@param mpc MAC policy configuration
This is the MAC Framework policy unload event. This entry point will
only be called if the module's policy configuration allows unload (if
the MPC_LOADTIME_FLAG_UNLOADOK is set). Most security policies won't
want to be unloaded; they should set their flags to prevent this
entry point from being called.
@warning During this call, the mac policy list mutex is held, so
sleep operations cannot be performed, and calls out to other kernel
subsystems must be made with caution.
@see MPC_LOADTIME_FLAG_UNLOADOK
*/typedefvoidmpo_policy_destroy_t(
struct mac_policy_conf *mpc
);
/**
@brief Policy initialization event
@param mpc MAC policy configuration
@see mac_policy_register
@see mpo_policy_initbsd_t
This is the MAC Framework policy initialization event. This entry
point is called during mac_policy_register, when the policy module
is first registered with the MAC Framework. This is often done very
early in the boot process, after the kernel Mach subsystem has been
initialized, but prior to the BSD subsystem being initialized.
Since the kernel BSD services are not yet available, it is possible
that some initialization must occur later, possibly in the
mpo_policy_initbsd_t policy entry point, such as registering BSD system
controls (sysctls). Policy modules loaded at boot time will be
registered and initialized before labeled Mach objects are created.
@warning During this call, the mac policy list mutex is held, so
sleep operations cannot be performed, and calls out to other kernel
subsystems must be made with caution.
*/typedefvoidmpo_policy_init_t(
struct mac_policy_conf *mpc
);
/**
@brief Policy BSD initialization event
@param mpc MAC policy configuration
@see mpo_policy_init_t
This entry point is called after the kernel BSD subsystem has been
initialized. By this point, the module should already be loaded,
registered, and initialized. Since policy modules are initialized
before kernel BSD services are available, this second initialization
phase is necessary. At this point, BSD services (memory management,
synchronization primitives, vfs, etc.) are available, but the first
process has not yet been created. Mach-related objects and tasks
will already be fully initialized and may be in use--policies requiring
ubiquitous labeling may also want to implement mpo_policy_init_t.
@warning During this call, the mac policy list mutex is held, so
sleep operations cannot be performed, and calls out to other kernel
subsystems must be made with caution.
*/typedefvoidmpo_policy_initbsd_t(
struct mac_policy_conf *mpc
);
/**
@brief Policy extension service
@param p Calling process
@param call Policy-specific syscall number
@param arg Pointer to syscall arguments
This entry point provides a policy-multiplexed system call so that
policies may provide additional services to user processes without
registering specific system calls. The policy name provided during
registration is used to demux calls from userland, and the arguments
will be forwarded to this entry point. When implementing new
services, security modules should be sure to invoke appropriate
access control checks from the MAC framework as needed. For
example, if a policy implements an augmented signal functionality,
it should call the necessary signal access control checks to invoke
the MAC framework and other registered policies.
@warning Since the format and contents of the policy-specific
arguments are unknown to the MAC Framework, modules must perform the
required copyin() of the syscall data on their own. No policy
mediation is performed, so policies must perform any necessary
access control checks themselves. If multiple policies are loaded,
they will currently be unable to mediate calls to other policies.
@return In the event of an error, an appropriate value for errno
should be returned, otherwise return 0 upon success.
*/typedefintmpo_policy_syscall_t(
struct proc *p,
int call,
user_addr_t arg
);
/**
@brief Access control check for copying a send right to another task
@param task Label of the sender task
@param port Label of the affected port
Access control check for copying send rights to the port from the
specified task. A complementary entry point, mpo_port_check_hold_send,
handles the receiving task. port_check_copy_send is called as part of
a group of policy invocations when messages with port rights are sent.
All access control checks made for a particular message must be successful
for the message to be sent.
The task label and the port are locked. Sleeping is permitted.
@return Return 0 if access is granted, non-zero otherwise.
*/typedefintmpo_port_check_copy_send_t(
struct label *task,
struct label *port
);
/**
@brief Access control check for obtaining a receive right
@param task Label of the receiving task
@param port Label of the affected port
Access control check for a task obtaining receive rights to a
port. Usually, these are port rights that were obtained with a call
to mach_port_allocate. This entry point is called as part of a
group of policy invocations when messages with port rights are
received. All of these access control checks must succeed in order
to receive the message.
The task label and the port are locked. Sleeping is permitted.
@return Return 0 if access is granted, non-zero otherwise.
*/typedefintmpo_port_check_hold_receive_t(
struct label *task,
struct label *port
);
/**
@brief Access control check for obtaining a send once right
@param task Label of the receiving task
@param port Label of the affected port
Access control check for a task obtaining send once rights to a port. Usually,
these are port rights that were part of a message sent by another userspace
task. port_check_hold_send_once is called as part of a group of policy
invocations when messages with port rights are received. All of these access
control checks must succeed in order to receive the message.
The task label and the port are locked. Sleeping is permitted.
@return Return 0 if access is granted, non-zero otherwise.
*/typedefintmpo_port_check_hold_send_once_t(
struct label *task,
struct label *port
);
/**
@brief Access control check for obtaining a send right
@param task Label of the receiving task
@param port Label of the affected port
Access control check for a task obtaining send rights to a port. Usually,
these are port rights that were part of a message sent by another userspace
task. port_check_hold_send is called as part of a group of policy
invocations when messages with port rights are received. All of these access
control checks must succeed in order to receive the message.
The task label and the port are locked. Sleeping is permitted.
@return Return 0 if access is granted, non-zero otherwise.
*/typedefintmpo_port_check_hold_send_t(
struct label *task,
struct label *port
);
/**
@brief Access control check for relabelling ports
@param task Subject's task label
@param oldlabel Original label of port
@param newlabel New label for port
Access control check for relabelling ports. The policy should
indicate whether the subject is permitted to change the label
of a port from oldlabel to newlabel. The port is locked, but
the subject's task label is not locked.
@warning XXX In future releases, the task label lock will likely
also be held.
@return Return 0 if access is granted, non-zero otherwise.
*/typedefintmpo_port_check_label_update_t(
struct label *task,
struct label *oldlabel,
struct label *newlabel
);
/**
@brief Access control check for producing a send once right from a receive right
@param task Label of the sender task
@param port Label of the affected port
Access control check for obtaining send once rights from receive rights.
The new send once right may be destined for the calling task, or a different
task. In either case the mpo_port_check_hold_send_once entry point handles
the receiving task. port_check_make_send_once may be called as part of a
group of policy invocations when messages with port rights are sent.
All access control checks made for a particular message must be successful
for the message to be sent.
The task label and the port are locked. Sleeping is permitted.
@return Return 0 if access is granted, non-zero otherwise.
*/typedefintmpo_port_check_make_send_once_t(
struct label *task,
struct label *port
);
/**
@brief Access control check for producing a send right from a receive right
@param task Label of the sender task
@param port Label of the affected port
Access control check for obtaining send rights from receive rights. The new
send right may be destined for the calling task, or a different task.
In either case the mpo_port_check_hold_send entry point
handles the receiving task. port_check_make_send may be called as part of
a group of policy invocations when messages with port rights are sent.
All access control checks made for a particular message must be successful
for the message to be sent.
The task label and the port are locked. Sleeping is permitted.
@return Return 0 if access is granted, non-zero otherwise.
*/typedefintmpo_port_check_make_send_t(
struct label *task,
struct label *port
);
/**
@brief Compute access control check for a Mach message-based service
@param proc Sender's process structure (may be NULL)
@param task Sender's task label
@param port Destination port label
@param msgid Message id
Access control computation for message-based services. This entry point
computes permission to the service requested by the specified port and message
id, for example a single MiG server routine, and is unrelated to the access
check for sending messages to ports (but that check must succeed for the
message to be sent to the destination). The result of this access computation
is stored in the message trailer field msgh_ad (only if requested by the
recipient); it does not actually inhibit the message from being sent or
received.
@return 0 for access granted, nonzero for access denied.
*/typedefintmpo_port_check_method_t(
struct proc *proc,
struct label *task,
struct label *port,
int msgid
);
/**
@brief Access control check for transferring a receive right
@param task Label of the sender task
@param port Label of the affected port
Access control check for transferring the receive right to a port out
of the specified task. A complementary entry point,
mpo_port_check_hold_receive, handles the receiving task.
port_check_move_receive is called as part of
a group of policy invocations when messages with port rights are sent.
All access control checks made for a particular message must be successful
for the message to be sent.
The task label and the port are locked. Sleeping is permitted.
@return Return 0 if access is granted, non-zero otherwise.
*/typedefintmpo_port_check_move_receive_t(
struct label *task,
struct label *port
);
/**
@brief Access control check for transferring a send once right
@param task Label of the sender task
@param port Label of the affected port
Access control check for transferring a send once right from one task to
the task listening to the specified port. A complementary entry point,
mpo_port_check_hold_send_once, handles the receiving task.
port_check_move_send_once is called as part of a group of policy invocations
when messages with port rights are sent. All access control checks made
for a particular message must be successful for the message to be sent.
The task label and the port are locked. Sleeping is permitted.
@return Return 0 if access is granted, non-zero otherwise.
*/typedefintmpo_port_check_move_send_once_t(
struct label *task,
struct label *port
);
/**
@brief Access control check for transferring a send right
@param task Label of the sender task
@param port Label of the affected port
Access control check for transferring a send right from one task to the
task listening to the specified port. A complementary entry point,
mpo_port_check_hold_send, handles the receiving task.
port_check_move_send is called as part of a group of policy invocations
when messages with port rights are sent. All access control checks made
for a particular message must be successful for the message to be sent.
The task label and the port are locked. Sleeping is permitted.
@return Return 0 if access is granted, non-zero otherwise.
*/typedefintmpo_port_check_move_send_t(
struct label *task,
struct label *port
);
/**
@brief Access control check for receiving Mach messsages
@param task Label of the receiving task
@param sender Label of the sending task
Access control check for receiving messages. The two labels are locked.
@warning This entry point can be invoked from many places inside the
kernel, with arbitrary other locks held. The implementation of this
entry point must not cause page faults, as those are handled by mach
messages.
@return Return 0 if access is granted, non-zero otherwise.
*/typedefintmpo_port_check_receive_t(
struct label *task,
struct label *sender
);
/**
@brief Access control check for sending Mach messsages
@param task Label of the sender task
@param port Label of the destination port
Access control check for sending messages. The task label and the
port are locked.
@warning This entry point can be invoked from many places inside the
kernel, with arbitrary other locks held. The implementation of this
entry point must not cause page faults, as those are handled by mach
messages.
@return Return 0 if access is granted, non-zero otherwise.
*/typedefintmpo_port_check_send_t(
struct label *task,
struct label *port
);
/**
@brief Generic access control check
@param subj Caller-provided subject label
@param obj Caller-provided object label
@param serv Service or object class name
@param perm Permission, or method, within the specified service
This function provides a general way for a user process to query
an arbitrary access control decision from the system's security policies.
Currently, there are no standards for the format of the service and
permission names. Labels may be either cred or port labels; the policy
must accept either. The userspace interfaces to this entry point allow
label strings or label handles (ports) to be provided.
@return Return 0 if access is granted, non-zero otherwise.
*/typedefintmpo_port_check_service_t(
struct label *subj,
struct label *obj,
constchar *serv,
constchar *perm
);
/**
@brief Assign a label to a new Mach port created by the kernel
@param portlabel Label for the new port
@param isreply True if the port is for a reply message from the kernel
Assign a label to a new port created by the kernel. If the port is being
used to reply to a message, isreply is 1 (0 otherwise). The port is locked.
*/typedefvoidmpo_port_label_associate_kernel_t(
struct label *portlabel,
int isreply
);
/**
@brief Assign a label to a new Mach port
@param it Task label of issuer
@param st Task label of target
@param portlabel Label for the new port
Assign a label to a new port. The policy can base this label on
the label of the calling task, as well as the label of the target task.
The target task is the one which recieves the first right for this port.
Both task labels and the port are locked.
*/typedefvoidmpo_port_label_associate_t(
struct label *it,
struct label *st,
struct label *portlabel
);
/**
@brief Request label for new (userspace) object
@param subj Subject label
@param obj Parent or existing object label
@param serv Name of service
@param out Computed label
Ask the loaded policies to compute a label based on the two input labels
and the service name. There is currently no standard for the service name,
or even what the input labels represent (Subject and parent object are only
a suggestion). If successful, the computed label is stored in out. All labels
must be port (or task) labels. The userspace interfaces to this entry point
allow label handles (ports) to be provided.
@return 0 on success, or an errno value for failure.
*/typedefintmpo_port_label_compute_t(
struct label *subj,
struct label *obj,
constchar *serv,
struct label *out
);
/**
@brief Copy a Mach port label
@param src Source port label
@param dest Destination port label
Copy the Mach port label information from src to dest. This is used
to copy user-suplied labels into an existing port.
*/typedefvoidmpo_port_label_copy_t(
struct label *src,
struct label *dest
);
/**
@brief Destroy Mach port label
@param label The label to be destroyed
Destroy a Mach port label. Since the object is going out of
scope, policy modules should free any internal storage associated
with the label so that it may be destroyed.
*/typedefvoidmpo_port_label_destroy_t(
struct label *label
);
/**
@brief Initialize Mach port label
@param label New label to initialize
Initialize the label for a newly instantiated Mach port. Sleeping
is permitted.
*/typedefvoidmpo_port_label_init_t(
struct label *label
);
/**
@brief Update a Mach task port label
@param cred User credential label to be used as the source
@param task Mach port label to be used as the destination
@see mpo_cred_label_update_t
@see mpo_cred_label_update_execve_t
Update the label on a Mach task port, using the supplied user
credential label. When a mac_cred_label_update_execve or a mac_cred_label_update
operation causes the label on a user credential to change, the Mach
task port label also needs to be updated to reflect the change.
Both labels are already valid (initialized and created).
*/typedefvoidmpo_port_label_update_cred_t(
struct label *cred,
struct label *task
);
/**
@brief Assign a label to a Mach port connected to a kernel object
@param portlabel Label for the port
@param kotype Type of kernel object
Label a kernel port based on the type of object behind it. The
kotype parameter is one of the IKOT constants in
<kern/ipc_kobject.h>. The port already has a valid label from either
mpo_port_label_associate_kernel, or because it is a task port and has a label
derived from the process and task labels. The port is locked.
*/typedefvoidmpo_port_label_update_kobject_t(
struct label *portlabel,
int kotype
);
/**
@brief Access control check for POSIX semaphore create
@param cred Subject credential
@param name String name of the semaphore
Determine whether the subject identified by the credential can create
a POSIX semaphore specified by name.
@return Return 0 if access is granted, otherwise an appropriate value for
errno should be returned.
*/typedefintmpo_posixsem_check_create_t(
kauth_cred_t cred,
constchar *name
);
/**
@brief Access control check for POSIX semaphore open
@param cred Subject credential
@param ps Pointer to semaphore information structure
@param semlabel Label associated with the semaphore
Determine whether the subject identified by the credential can open
the named POSIX semaphore with label semlabel.
@return Return 0 if access is granted, otherwise an appropriate value for
errno should be returned.
*/typedefintmpo_posixsem_check_open_t(
kauth_cred_t cred,
struct pseminfo *ps,
struct label *semlabel
);
/**
@brief Access control check for POSIX semaphore post
@param cred Subject credential
@param ps Pointer to semaphore information structure
@param semlabel Label associated with the semaphore
Determine whether the subject identified by the credential can unlock
the named POSIX semaphore with label semlabel.
@return Return 0 if access is granted, otherwise an appropriate value for
errno should be returned.
*/typedefintmpo_posixsem_check_post_t(
kauth_cred_t cred,
struct pseminfo *ps,
struct label *semlabel
);
/**
@brief Access control check for POSIX semaphore unlink
@param cred Subject credential
@param ps Pointer to semaphore information structure
@param semlabel Label associated with the semaphore
@param name String name of the semaphore
Determine whether the subject identified by the credential can remove
the named POSIX semaphore with label semlabel.
@return Return 0 if access is granted, otherwise an appropriate value for
errno should be returned.
*/typedefintmpo_posixsem_check_unlink_t(
kauth_cred_t cred,
struct pseminfo *ps,
struct label *semlabel,
constchar *name
);
/**
@brief Access control check for POSIX semaphore wait
@param cred Subject credential
@param ps Pointer to semaphore information structure
@param semlabel Label associated with the semaphore
Determine whether the subject identified by the credential can lock
the named POSIX semaphore with label semlabel.
@return Return 0 if access is granted, otherwise an appropriate value for
errno should be returned.
*/typedefintmpo_posixsem_check_wait_t(
kauth_cred_t cred,
struct pseminfo *ps,
struct label *semlabel
);
/**
@brief Create a POSIX semaphore label
@param cred Subject credential
@param ps Pointer to semaphore information structure
@param semlabel Label to associate with the new semaphore
@param name String name of the semaphore
Label a new POSIX semaphore. The label was previously
initialized and associated with the semaphore. At this time, an
appropriate initial label value should be assigned to the object and
stored in semalabel.
*/typedefvoidmpo_posixsem_label_associate_t(
kauth_cred_t cred,
struct pseminfo *ps,
struct label *semlabel,
constchar *name
);
/**
@brief Destroy POSIX semaphore label
@param label The label to be destroyed
Destroy a POSIX semaphore label. Since the object is
going out of scope, policy modules should free any internal storage
associated with the label so that it may be destroyed.
*/typedefvoidmpo_posixsem_label_destroy_t(
struct label *label
);
/**
@brief Initialize POSIX semaphore label
@param label New label to initialize
Initialize the label for a newly instantiated POSIX semaphore. Sleeping
is permitted.
*/typedefvoidmpo_posixsem_label_init_t(
struct label *label
);
/**
@brief Access control check for POSIX shared memory region create
@param cred Subject credential
@param name String name of the shared memory region
Determine whether the subject identified by the credential can create
the POSIX shared memory region referenced by name.
@return Return 0 if access is granted, otherwise an appropriate value for
errno should be returned.
*/typedefintmpo_posixshm_check_create_t(
kauth_cred_t cred,
constchar *name
);
/**
@brief Access control check for mapping POSIX shared memory
@param cred Subject credential
@param ps Pointer to shared memory information structure
@param shmlabel Label associated with the shared memory region
@param prot mmap protections; see mmap(2)
@param flags shmat flags; see shmat(2)
Determine whether the subject identified by the credential can map
the POSIX shared memory segment associated with shmlabel.
@return Return 0 if access is granted, otherwise an appropriate value for
errno should be returned.
*/typedefintmpo_posixshm_check_mmap_t(
kauth_cred_t cred,
struct pshminfo *ps,
struct label *shmlabel,
int prot,
int flags
);
/**
@brief Access control check for POSIX shared memory region open
@param cred Subject credential
@param ps Pointer to shared memory information structure
@param shmlabel Label associated with the shared memory region
Determine whether the subject identified by the credential can open
the POSIX shared memory region.
@return Return 0 if access is granted, otherwise an appropriate value for
errno should be returned.
*/typedefintmpo_posixshm_check_open_t(
kauth_cred_t cred,
struct pshminfo *ps,
struct label *shmlabel
);
/**
@brief Access control check for POSIX shared memory stat
@param cred Subject credential
@param ps Pointer to shared memory information structure
@param shmlabel Label associated with the shared memory region
Determine whether the subject identified by the credential can obtain
status for the POSIX shared memory segment associated with shmlabel.
@return Return 0 if access is granted, otherwise an appropriate value for
errno should be returned.
*/typedefintmpo_posixshm_check_stat_t(
kauth_cred_t cred,
struct pshminfo *ps,
struct label *shmlabel
);
/**
@brief Access control check for POSIX shared memory truncate
@param cred Subject credential
@param ps Pointer to shared memory information structure
@param shmlabel Label associated with the shared memory region
@param len Length to truncate or extend shared memory segment
Determine whether the subject identified by the credential can truncate
or extend (to len) the POSIX shared memory segment associated with shmlabel.
@return Return 0 if access is granted, otherwise an appropriate value for
errno should be returned.
*/typedefintmpo_posixshm_check_truncate_t(
kauth_cred_t cred,
struct pshminfo *ps,
struct label *shmlabel,
off_t len
);
/**
@brief Access control check for POSIX shared memory unlink
@param cred Subject credential
@param ps Pointer to shared memory information structure
@param shmlabel Label associated with the shared memory region
@param name String name of the shared memory region
Determine whether the subject identified by the credential can delete
the POSIX shared memory segment associated with shmlabel.
@return Return 0 if access is granted, otherwise an appropriate value for
errno should be returned.
*/typedefintmpo_posixshm_check_unlink_t(
kauth_cred_t cred,
struct pshminfo *ps,
struct label *shmlabel,
constchar *name
);
/**
@brief Create a POSIX shared memory region label
@param cred Subject credential
@param ps Pointer to shared memory information structure
@param shmlabel Label to associate with the new shared memory region
@param name String name of the shared memory region
Label a new POSIX shared memory region. The label was previously
initialized and associated with the shared memory region. At this
time, an appropriate initial label value should be assigned to the
object and stored in shmlabel.
*/typedefvoidmpo_posixshm_label_associate_t(
kauth_cred_t cred,
struct pshminfo *ps,
struct label *shmlabel,
constchar *name
);
/**
@brief Destroy POSIX shared memory label
@param label The label to be destroyed
Destroy a POSIX shared memory region label. Since the
object is going out of scope, policy modules should free any
internal storage associated with the label so that it may be
destroyed.
*/typedefvoidmpo_posixshm_label_destroy_t(
struct label *label
);
/**
@brief Initialize POSIX Shared Memory region label
@param label New label to initialize
Initialize the label for newly a instantiated POSIX Shared Memory
region. Sleeping is permitted.
*/typedefvoidmpo_posixshm_label_init_t(
struct label *label
);
/**
@brief Access control check for privileged operations
@param cred Subject credential
@param priv Requested privilege (see sys/priv.h)
Determine whether the subject identified by the credential can perform
a privileged operation. Privileged operations are allowed if the cred
is the superuser or any policy returns zero for mpo_priv_grant, unless
any policy returns nonzero for mpo_priv_check.
@return Return 0 if access is granted, otherwise EPERM should be returned.
*/typedefintmpo_priv_check_t(
kauth_cred_t cred,
int priv
);
/**
@brief Grant regular users the ability to perform privileged operations
@param cred Subject credential
@param priv Requested privilege (see sys/priv.h)
Determine whether the subject identified by the credential should be
allowed to perform a privileged operation that in the absense of any
MAC policy it would not be able to perform. Privileged operations are
allowed if the cred is the superuser or any policy returns zero for
mpo_priv_grant, unless any policy returns nonzero for mpo_priv_check.
Unlike other MAC hooks which can only reduce the privilege of a
credential, this hook raises the privilege of a credential when it
returns 0. Extreme care must be taken when implementing this hook to
avoid undermining the security of the system.
@return Return 0 if additional privilege is granted, otherwise EPERM
should be returned.
*/typedefintmpo_priv_grant_t(
kauth_cred_t cred,
int priv
);
/**
@brief Access control check for debugging process
@param cred Subject credential
@param proc Object process
Determine whether the subject identified by the credential can debug
the passed process. This call may be made in a number of situations,
including use of the ptrace(2) and ktrace(2) APIs, as well as for some
types of procfs operations.
@return Return 0 if access is granted, otherwise an appropriate value for
errno should be returned. Suggested failure: EACCES for label mismatch,
EPERM for lack of privilege, or ESRCH to hide visibility of the target.
*/typedefintmpo_proc_check_debug_t(
kauth_cred_t cred,
struct proc *proc
);
/**
@brief Access control over fork
@param cred Subject credential
@param proc Subject process trying to fork
Determine whether the subject identified is allowed to fork.
@return Return 0 if access is granted, otherwise an appropriate value for
errno should be returned.
*/typedefintmpo_proc_check_fork_t(
kauth_cred_t cred,
struct proc *proc
);
/**
@brief Access control over pid_suspend and pid_resume
@param cred Subject credential
@param proc Subject process trying to run pid_suspend or pid_resume
@param sr Call is suspend (0) or resume (1)
Determine whether the subject identified is allowed to suspend or resume
other processes.
@return Return 0 if access is granted, otherwise an appropriate value for
errno should be returned.
*/typedefintmpo_proc_check_suspend_resume_t(
kauth_cred_t cred,
struct proc *proc,
int sr
);
/**
@brief Access control check for retrieving audit information
@param cred Subject credential
Determine whether the subject identified by the credential can get
audit information such as the audit user ID, the preselection mask,
the terminal ID and the audit session ID, using the getaudit() system call.
@return Return 0 if access is granted, otherwise an appropriate value for
errno should be returned.
*/typedefintmpo_proc_check_getaudit_t(
kauth_cred_t cred
);
/**
@brief Access control check for retrieving audit user ID
@param cred Subject credential
Determine whether the subject identified by the credential can get
the user identity being used by the auditing system, using the getauid()
system call.
@return Return 0 if access is granted, otherwise an appropriate value for
errno should be returned.
*/typedefintmpo_proc_check_getauid_t(
kauth_cred_t cred
);
/**
@brief Access control check for retrieving Login Context ID
@param p0 Calling process
@param p Effected process
@param pid syscall PID argument
Determine if getlcid(2) system call is permitted.
Information returned by this system call is similar to that returned via
process listings etc.
@return Return 0 if access is granted, otherwise an appropriate value for
errno should be returned.
*/typedefintmpo_proc_check_getlcid_t(
struct proc *p0,
struct proc *p,
pid_t pid
);
/**
@brief Access control check for mmap MAP_ANON
@param proc User process requesting the memory
@param cred Subject credential
@param u_addr Start address of the memory range
@param u_size Length address of the memory range
@param prot mmap protections; see mmap(2)
@param flags Type of mapped object; see mmap(2)
@param maxprot Maximum rights
Determine whether the subject identified by the credential should be
allowed to obtain anonymous memory using the specified flags and
protections on the new mapping. MAP_ANON will always be present in the
flags. Certain combinations of flags with a non-NULL addr may
cause a mapping to be rejected before this hook is called. The maxprot field
holds the maximum permissions on the new mapping, a combination of
VM_PROT_READ, VM_PROT_WRITE and VM_PROT_EXECUTE. To avoid overriding prior
access control checks, a policy should only remove flags from maxprot.
@return Return 0 if access is granted, otherwise an appropriate value for
errno should be returned. Suggested failure: EPERM for lack of privilege.
*/typedefintmpo_proc_check_map_anon_t(
struct proc *proc,
kauth_cred_t cred,
user_addr_t u_addr,
user_size_t u_size,
int prot,
int flags,
int *maxprot
);
/**
@brief Access control check for setting memory protections
@param cred Subject credential
@param proc User process requesting the change
@param addr Start address of the memory range
@param size Length address of the memory range
@param prot Memory protections, see mmap(2)
Determine whether the subject identified by the credential should
be allowed to set the specified memory protections on memory mapped
in the process proc.
@return Return 0 if access is granted, otherwise an appropriate value for
errno should be returned.
*/typedefintmpo_proc_check_mprotect_t(
kauth_cred_t cred,
struct proc *proc,
user_addr_t addr,
user_size_t size,
int prot
);
/**
@brief Access control check for changing scheduling parameters
@param cred Subject credential
@param proc Object process
Determine whether the subject identified by the credential can change
the scheduling parameters of the passed process.
@return Return 0 if access is granted, otherwise an appropriate value for
errno should be returned. Suggested failure: EACCES for label mismatch,
EPERM for lack of privilege, or ESRCH to limit visibility.
*/typedefintmpo_proc_check_sched_t(
kauth_cred_t cred,
struct proc *proc
);
/**
@brief Access control check for setting audit information
@param cred Subject credential
@param ai Audit information
Determine whether the subject identified by the credential can set
audit information such as the the preselection mask, the terminal ID
and the audit session ID, using the setaudit() system call.
@return Return 0 if access is granted, otherwise an appropriate value for
errno should be returned.
*/typedefintmpo_proc_check_setaudit_t(
kauth_cred_t cred,
struct auditinfo_addr *ai
);
/**
@brief Access control check for setting audit user ID
@param cred Subject credential
@param auid Audit user ID
Determine whether the subject identified by the credential can set
the user identity used by the auditing system, using the setauid()
system call.
@return Return 0 if access is granted, otherwise an appropriate value for
errno should be returned.
*/typedefintmpo_proc_check_setauid_t(
kauth_cred_t cred,
uid_t auid
);
/**
@brief Access control check for setting the Login Context
@param p0 Calling process
@param p Effected process
@param pid syscall PID argument
@param lcid syscall LCID argument
Determine if setlcid(2) system call is permitted.
See xnu/bsd/kern/kern_prot.c:setlcid() implementation for example of
decoding syscall arguments to determine action desired by caller.
Five distinct actions are possible: CREATE JOIN LEAVE ADOPT ORPHAN
@return Return 0 if access is granted, otherwise an appropriate value for
errno should be returned.
*/typedefintmpo_proc_check_setlcid_t(
struct proc *p0,
struct proc *p,
pid_t pid,
pid_t lcid
);
/**
@brief Access control check for delivering signal
@param cred Subject credential
@param proc Object process
@param signum Signal number; see kill(2)
Determine whether the subject identified by the credential can deliver
the passed signal to the passed process.
@warning Programs typically expect to be able to send and receive
signals as part or their normal process lifecycle; caution should be
exercised when implementing access controls over signal events.
@return Return 0 if access is granted, otherwise an appropriate value for
errno should be returned. Suggested failure: EACCES for label mismatch,
EPERM for lack of privilege, or ESRCH to limit visibility.
*/typedefintmpo_proc_check_signal_t(
kauth_cred_t cred,
struct proc *proc,
int signum
);
/**
@brief Access control check for wait
@param cred Subject credential
@param proc Object process
Determine whether the subject identified by the credential can wait
for process termination.
@warning Caution should be exercised when implementing access
controls for wait, since programs often wait for child processes to
exit. Failure to be notified of a child process terminating may
cause the parent process to hang, or may produce zombie processes.
@return Return 0 if access is granted, otherwise an appropriate value for
errno should be returned.
*/typedefintmpo_proc_check_wait_t(
kauth_cred_t cred,
struct proc *proc
);
/**
@brief Destroy process label
@param label The label to be destroyed
Destroy a process label. Since the object is going
out of scope, policy modules should free any internal storage
associated with the label so that it may be destroyed.
*/typedefvoidmpo_proc_label_destroy_t(
struct label *label
);
/**
@brief Initialize process label
@param label New label to initialize
@see mpo_cred_label_init_t
Initialize the label for a newly instantiated BSD process structure.
Normally, security policies will store the process label in the user
credential rather than here in the process structure. However,
there are some floating label policies that may need to temporarily
store a label in the process structure until it is safe to update
the user credential label. Sleeping is permitted.
*/typedefvoidmpo_proc_label_init_t(
struct label *label
);
/**
@brief Access control check for socket accept
@param cred Subject credential
@param socket Object socket
@param socklabel Policy label for socket
Determine whether the subject identified by the credential can accept()
a new connection on the socket from the host specified by addr.
@return Return 0 if access if granted, otherwise an appropriate
value for errno should be returned.
*/typedefintmpo_socket_check_accept_t(
kauth_cred_t cred,
socket_t so,
struct label *socklabel
);
/**
@brief Access control check for a pending socket accept
@param cred Subject credential
@param so Object socket
@param socklabel Policy label for socket
@param addr Address of the listening socket (coming soon)
Determine whether the subject identified by the credential can accept()
a pending connection on the socket from the host specified by addr.
@return Return 0 if access if granted, otherwise an appropriate
value for errno should be returned.
*/typedefintmpo_socket_check_accepted_t(
kauth_cred_t cred,
socket_t so,
struct label *socklabel,
struct sockaddr *addr
);
/**
@brief Access control check for socket bind
@param cred Subject credential
@param so Object socket
@param socklabel Policy label for socket
@param addr Name to assign to the socket
Determine whether the subject identified by the credential can bind()
the name (addr) to the socket.
@return Return 0 if access if granted, otherwise an appropriate
value for errno should be returned.
*/typedefintmpo_socket_check_bind_t(
kauth_cred_t cred,
socket_t so,
struct label *socklabel,
struct sockaddr *addr
);
/**
@brief Access control check for socket connect
@param cred Subject credential
@param so Object socket
@param socklabel Policy label for socket
@param addr Name to assign to the socket
Determine whether the subject identified by the credential can
connect() the passed socket to the remote host specified by addr.
@return Return 0 if access if granted, otherwise an appropriate
value for errno should be returned.
*/typedefintmpo_socket_check_connect_t(
kauth_cred_t cred,
socket_t so,
struct label *socklabel,
struct sockaddr *addr
);
/**
@brief Access control check for socket() system call.
@param cred Subject credential
@param domain communication domain
@param type socket type
@param protocol socket protocol
Determine whether the subject identified by the credential can
make the socket() call.
@return Return 0 if access if granted, otherwise an appropriate
value for errno should be returned.
*/typedefintmpo_socket_check_create_t(
kauth_cred_t cred,
int domain,
int type,
int protocol
);
/**
@brief Access control check for delivering data to a user's receieve queue
@param so The socket data is being delivered to
@param so_label The label of so
@param m The mbuf whose data will be deposited into the receive queue
@param m_label The label of the sender of the data.
A socket has a queue for receiving incoming data. When a packet arrives
on the wire, it eventually gets deposited into this queue, which the
owner of the socket drains when they read from the socket's file descriptor.
This function determines whether the socket can receive data from
the sender specified by m_label.
@warning There is an outstanding design issue surrounding the placement
of this function. The check must be placed either before or after the
TCP sequence and ACK counters are updated. Placing the check before
the counters are updated causes the incoming packet to be resent by
the remote if the check rejects it. Placing the check after the counters
are updated results in a completely silent drop. As far as each TCP stack
is concerned the packet was received, however, the data will not be in the
socket's receive queue. Another consideration is that the current design
requires using the "failed label" occasionally. In that case, on rejection,
we want the remote TCP to resend the data. Because of this, we chose to
place this check before the counters are updated, so rejected packets will be
resent by the remote host.
If a policy keeps rejecting the same packet, eventually the connection will
be dropped. Policies have several options if this design causes problems.
For example, one options is to sanitize the mbuf such that it is acceptable,
then accept it. That may require negotiation between policies as the
Framework will not know to re-check the packet.
The policy must handle NULL MBUF labels. This will likely be the case
for non-local TCP sockets for example.
@return Return 0 if access if granted, otherwise an appropriate
value for errno should be returned.
*/typedefintmpo_socket_check_deliver_t(
socket_t so,
struct label *so_label,
struct mbuf *m,
struct label *m_label
);
/**
@brief Access control check for socket kqfilter
@param cred Subject credential
@param kn Object knote
@param so Object socket
@param socklabel Policy label for socket
Determine whether the subject identified by the credential can
receive the knote on the passed socket.
@return Return 0 if access if granted, otherwise an appropriate
value for errno should be returned.
*/typedefintmpo_socket_check_kqfilter_t(
kauth_cred_t cred,
struct knote *kn,
socket_t so,
struct label *socklabel
);
/**
@brief Access control check for socket relabel
@param cred Subject credential
@param so Object socket
@param so_label The current label of so
@param newlabel The label to be assigned to so
Determine whether the subject identified by the credential can
change the label on the socket.
@return Return 0 if access if granted, otherwise an appropriate
value for errno should be returned.
*/typedefintmpo_socket_check_label_update_t(
kauth_cred_t cred,
socket_t so,
struct label *so_label,
struct label *newlabel
);
/**
@brief Access control check for socket listen
@param cred Subject credential
@param so Object socket
@param socklabel Policy label for socket
Determine whether the subject identified by the credential can
listen() on the passed socket.
@return Return 0 if access if granted, otherwise an appropriate
value for errno should be returned.
*/typedefintmpo_socket_check_listen_t(
kauth_cred_t cred,
socket_t so,
struct label *socklabel
);
/**
@brief Access control check for socket receive
@param cred Subject credential
@param so Object socket
@param socklabel Policy label for socket
Determine whether the subject identified by the credential can
receive data from the socket.
@return Return 0 if access if granted, otherwise an appropriate
value for errno should be returned.
*/typedefintmpo_socket_check_receive_t(
kauth_cred_t cred,
socket_t so,
struct label *socklabel
);
/**
@brief Access control check for socket receive
@param cred Subject credential
@param socket Object socket
@param socklabel Policy label for socket
@param addr Name of the remote socket
Determine whether the subject identified by the credential can
receive data from the remote host specified by addr.
@return Return 0 if access if granted, otherwise an appropriate
value for errno should be returned.
*/typedefintmpo_socket_check_received_t(
kauth_cred_t cred,
struct socket *sock,
struct label *socklabel,
struct sockaddr *saddr
);
/**
@brief Access control check for socket select
@param cred Subject credential
@param so Object socket
@param socklabel Policy label for socket
@param which The operation selected on: FREAD or FWRITE
Determine whether the subject identified by the credential can use the
socket in a call to select().
@return Return 0 if access if granted, otherwise an appropriate
value for errno should be returned.
*/typedefintmpo_socket_check_select_t(
kauth_cred_t cred,
socket_t so,
struct label *socklabel,
int which
);
/**
@brief Access control check for socket send
@param cred Subject credential
@param so Object socket
@param socklabel Policy label for socket
@param addr Address being sent to
Determine whether the subject identified by the credential can send
data to the socket.
@return Return 0 if access if granted, otherwise an appropriate
value for errno should be returned.
*/typedefintmpo_socket_check_send_t(
kauth_cred_t cred,
socket_t so,
struct label *socklabel,
struct sockaddr *addr
);
/**
@brief Access control check for retrieving socket status
@param cred Subject credential
@param so Object socket
@param socklabel Policy label for so
Determine whether the subject identified by the credential can
execute the stat() system call on the given socket.
@return Return 0 if access if granted, otherwise an appropriate
value for errno should be returned.
*/typedefintmpo_socket_check_stat_t(
kauth_cred_t cred,
socket_t so,
struct label *socklabel
);
/**
@brief Access control check for setting socket options
@param cred Subject credential
@param so Object socket
@param socklabel Policy label for so
@param sopt The options being set
Determine whether the subject identified by the credential can
execute the setsockopt system call on the given socket.
@return Return 0 if access if granted, otherwise an appropriate
value for errno should be returned.
*/typedefintmpo_socket_check_setsockopt_t(
kauth_cred_t cred,
socket_t so,
struct label *socklabel,
struct sockopt *sopt
);
/**
@brief Access control check for getting socket options
@param cred Subject credential
@param so Object socket
@param socklabel Policy label for so
@param sopt The options to get
Determine whether the subject identified by the credential can
execute the getsockopt system call on the given socket.
@return Return 0 if access if granted, otherwise an appropriate
value for errno should be returned.
*/typedefintmpo_socket_check_getsockopt_t(
kauth_cred_t cred,
socket_t so,
struct label *socklabel,
struct sockopt *sopt
);
/**
@brief Label a socket
@param oldsock Listening socket
@param oldlabel Policy label associated with oldsock
@param newsock New socket
@param newlabel Policy label associated with newsock
A new socket is created when a connection is accept(2)ed. This
function labels the new socket based on the existing listen(2)ing
socket.
*/typedefvoidmpo_socket_label_associate_accept_t(
socket_t oldsock,
struct label *oldlabel,
socket_t newsock,
struct label *newlabel
);
/**
@brief Assign a label to a new socket
@param cred Credential of the owning process
@param so The socket being labeled
@param solabel The label
@warning cred can be NULL
Set the label on a newly created socket from the passed subject
credential. This call is made when a socket is created. The
credentials may be null if the socket is being created by the
kernel.
*/typedefvoidmpo_socket_label_associate_t(
kauth_cred_t cred,
socket_t so,
struct label *solabel
);
/**
@brief Copy a socket label
@param src Source label
@param dest Destination label
Copy the socket label information in src into dest.
*/typedefvoidmpo_socket_label_copy_t(
struct label *src,
struct label *dest
);
/**
@brief Destroy socket label
@param label The label to be destroyed
Destroy a socket label. Since the object is going out of
scope, policy modules should free any internal storage associated
with the label so that it may be destroyed.
*/typedefvoidmpo_socket_label_destroy_t(
struct label *label
);
/**
@brief Externalize a socket label
@param label Label to be externalized
@param element_name Name of the label namespace for which labels should be
externalized
@param sb String buffer to be filled with a text representation of label
Produce an externalized socket label based on the label structure passed.
An externalized label consists of a text representation of the label
contents that can be used with userland applications and read by the
user. If element_name does not match a namespace managed by the policy,
simply return 0. Only return nonzero if an error occurs while externalizing
the label data.
@return In the event of an error, an appropriate value for errno
should be returned, otherwise return 0 upon success.
*/typedefintmpo_socket_label_externalize_t(
struct label *label,
char *element_name,
struct sbuf *sb
);
/**
@brief Initialize socket label
@param label New label to initialize
@param waitok Malloc flags
Initialize the label of a newly instantiated socket. The waitok
field may be one of M_WAITOK and M_NOWAIT, and should be employed to
avoid performing a sleeping malloc(9) during this initialization
call. It it not always safe to sleep during this entry point.
@warning Since it is possible for the waitok flags to be set to
M_NOWAIT, the malloc operation may fail.
@return In the event of an error, an appropriate value for errno
should be returned, otherwise return 0 upon success.
*/typedefintmpo_socket_label_init_t(
struct label *label,
int waitok
);
/**
@brief Internalize a socket label
@param label Label to be filled in
@param element_name Name of the label namespace for which the label should
be internalized
@param element_data Text data to be internalized
Produce an internal socket label structure based on externalized label
data in text format.
The policy's internalize entry points will be called only if the
policy has registered interest in the label namespace.
@return In the event of an error, an appropriate value for errno
should be returned, otherwise return 0 upon success.
*/typedefintmpo_socket_label_internalize_t(
struct label *label,
char *element_name,
char *element_data
);
/**
@brief Relabel socket
@param cred Subject credential
@param so Object; socket
@param so_label Current label of the socket
@param newlabel The label to be assigned to so
The subject identified by the credential has previously requested
and was authorized to relabel the socket; this entry point allows
policies to perform the actual label update operation.
@warning XXX This entry point will likely change in future versions.
*/typedefvoidmpo_socket_label_update_t(
kauth_cred_t cred,
socket_t so,
struct label *so_label,
struct label *newlabel
);
/**
@brief Set the peer label on a socket from mbuf
@param m Mbuf chain received on socket so
@param m_label Label for m
@param so Current label for the socket
@param so_label Policy label to be filled out for the socket
Set the peer label of a socket based on the label of the sender of the
mbuf.
This is called for every TCP/IP packet received. The first call for a given
socket operates on a newly initialized label, and subsequent calls operate
on existing label data.
@warning Because this can affect performance significantly, it has
different sematics than other 'set' operations. Typically, 'set' operations
operate on newly initialzed labels and policies do not need to worry about
clobbering existing values. In this case, it is too inefficient to
initialize and destroy a label every time data is received for the socket.
Instead, it is up to the policies to determine how to replace the label data.
Most policies should be able to replace the data inline.
*/typedefvoidmpo_socketpeer_label_associate_mbuf_t(
struct mbuf *m,
struct label *m_label,
socket_t so,
struct label *so_label
);
/**
@brief Set the peer label on a socket from socket
@param source Local socket
@param sourcelabel Policy label for source
@param target Peer socket
@param targetlabel Policy label to fill in for target
Set the peer label on a stream UNIX domain socket from the passed
remote socket endpoint. This call will be made when the socket pair
is connected, and will be made for both endpoints.
Note that this call is only made on connection; it is currently not updated
during communication.
*/typedefvoidmpo_socketpeer_label_associate_socket_t(
socket_t source,
struct label *sourcelabel,
socket_t target,
struct label *targetlabel
);
/**
@brief Destroy socket peer label
@param label The peer label to be destroyed
Destroy a socket peer label. Since the object is going out of
scope, policy modules should free any internal storage associated
with the label so that it may be destroyed.
*/typedefvoidmpo_socketpeer_label_destroy_t(
struct label *label
);
/**
@brief Externalize a socket peer label
@param label Label to be externalized
@param element_name Name of the label namespace for which labels should be
externalized
@param sb String buffer to be filled with a text representation of label
Produce an externalized socket peer label based on the label structure
passed. An externalized label consists of a text representation of the
label contents that can be used with userland applications and read by the
user. If element_name does not match a namespace managed by the policy,
simply return 0. Only return nonzero if an error occurs while externalizing
the label data.
@return In the event of an error, an appropriate value for errno
should be returned, otherwise return 0 upon success.
*/typedefintmpo_socketpeer_label_externalize_t(
struct label *label,
char *element_name,
struct sbuf *sb
);
/**
@brief Initialize socket peer label
@param label New label to initialize
@param waitok Malloc flags
Initialize the peer label of a newly instantiated socket. The
waitok field may be one of M_WAITOK and M_NOWAIT, and should be
employed to avoid performing a sleeping malloc(9) during this
initialization call. It it not always safe to sleep during this
entry point.
@warning Since it is possible for the waitok flags to be set to
M_NOWAIT, the malloc operation may fail.
@return In the event of an error, an appropriate value for errno
should be returned, otherwise return 0 upon success.
*/typedefintmpo_socketpeer_label_init_t(
struct label *label,
int waitok
);
/**
@brief Access control check for enabling accounting
@param cred Subject credential
@param vp Accounting file
@param vlabel Label associated with vp
Determine whether the subject should be allowed to enable accounting,
based on its label and the label of the accounting log file. See
acct(5) for more information.
As accounting is disabled by passing NULL to the acct(2) system call,
the policy should be prepared for both 'vp' and 'vlabel' to be NULL.
@return Return 0 if access is granted, otherwise an appropriate value for
errno should be returned.
*/typedefintmpo_system_check_acct_t(
kauth_cred_t cred,
struct vnode *vp,
struct label *vlabel
);
/**
@brief Access control check for audit
@param cred Subject credential
@param record Audit record
@param length Audit record length
Determine whether the subject identified by the credential can submit
an audit record for inclusion in the audit log via the audit() system call.
@return Return 0 if access is granted, otherwise an appropriate value for
errno should be returned.
*/typedefintmpo_system_check_audit_t(
kauth_cred_t cred,
void *record,
int length
);
/**
@brief Access control check for controlling audit
@param cred Subject credential
@param vp Audit file
@param vl Label associated with vp
Determine whether the subject should be allowed to enable auditing using
the auditctl() system call, based on its label and the label of the proposed
audit file.
@return Return 0 if access is granted, otherwise an appropriate value for
errno should be returned.
*/typedefintmpo_system_check_auditctl_t(
kauth_cred_t cred,
struct vnode *vp,
struct label *vl
);
/**
@brief Access control check for manipulating auditing
@param cred Subject credential
@param cmd Audit control command
Determine whether the subject identified by the credential can perform
the audit subsystem control operation cmd via the auditon() system call.
@return Return 0 if access is granted, otherwise an appropriate value for
errno should be returned.
*/typedefintmpo_system_check_auditon_t(
kauth_cred_t cred,
int cmd
);
/**
@brief Access control check for using CHUD facilities
@param cred Subject credential
Determine whether the subject identified by the credential can perform
performance-related tasks using the CHUD system call.
@return Return 0 if access is granted, otherwise an appropriate value for
errno should be returned.
*/typedefintmpo_system_check_chud_t(
kauth_cred_t cred
);
/**
@brief Access control check for obtaining the host control port
@param cred Subject credential
Determine whether the subject identified by the credential can
obtain the host control port.
@return Return 0 if access is granted, or non-zero otherwise.
*/typedefintmpo_system_check_host_priv_t(
kauth_cred_t cred
);
/**
@brief Access control check for calling NFS services
@param cred Subject credential
Determine whether the subject identified by the credential should be
allowed to call nfssrv(2).
@return Return 0 if access is granted, otherwise an appropriate value for
errno should be returned.
*/typedefintmpo_system_check_nfsd_t(
kauth_cred_t cred
);
/**
@brief Access control check for reboot
@param cred Subject credential
@param howto howto parameter from reboot(2)
Determine whether the subject identified by the credential should be
allowed to reboot the system in the specified manner.
@return Return 0 if access is granted, otherwise an appropriate value for
errno should be returned.
*/typedefintmpo_system_check_reboot_t(
kauth_cred_t cred,
int howto
);
/**
@brief Access control check for setting system clock
@param cred Subject credential
Determine whether the subject identified by the credential should be
allowed to set the system clock.
@return Return 0 if access is granted, otherwise an appropriate value for
errno should be returned.
*/typedefintmpo_system_check_settime_t(
kauth_cred_t cred
);
/**
@brief Access control check for removing swap devices
@param cred Subject credential
@param vp Swap device
@param label Label associated with vp
Determine whether the subject identified by the credential should be
allowed to remove vp as a swap device.
@return Return 0 if access is granted, otherwise an appropriate value for
errno should be returned.
*/typedefintmpo_system_check_swapoff_t(
kauth_cred_t cred,
struct vnode *vp,
struct label *label
);
/**
@brief Access control check for adding swap devices
@param cred Subject credential
@param vp Swap device
@param label Label associated with vp
Determine whether the subject identified by the credential should be
allowed to add vp as a swap device.
@return Return 0 if access is granted, otherwise an appropriate value for
errno should be returned.
*/typedefintmpo_system_check_swapon_t(
kauth_cred_t cred,
struct vnode *vp,
struct label *label
);
/**
@brief Access control check for sysctl
@param cred Subject credential
@param name Integer name; see sysctl(3)
@param namelen Length of name array of integers; see sysctl(3)
@param old 0 or address where to store old value; see sysctl(3)
@param oldlenp Pointer to length of old buffer; see sysctl(3)
@param inkernel Boolean; 1 if called from kernel
@param newvalue 0 or address of new value; see sysctl(3)
@param newlen Length of new buffer; see sysctl(3)
Determine whether the subject identified by the credential should be
allowed to make the specified sysctl(3) transaction.
The sysctl(3) call specifies that if the old value is not desired,
oldp and oldlenp should be set to NULL. Likewise, if a new value is
not to be set, newp should be set to NULL and newlen set to 0.
@return Return 0 if access is granted, otherwise an appropriate value for
errno should be returned.
*/typedefintmpo_system_check_sysctl_t(
kauth_cred_t cred,
int *name,
u_int namelen,
user_addr_t old, /* NULLOK */
user_addr_t oldlenp, /* NULLOK */int inkernel,
user_addr_t newvalue, /* NULLOK */
size_t newlen
);
/**
@brief Create a System V message label
@param cred Subject credential
@param msqkptr The message queue the message will be placed in
@param msqlabel The label of the message queue
@param msgptr The message
@param msglabel The label of the message
Label the message as its placed in the message queue.
*/typedefvoidmpo_sysvmsg_label_associate_t(
kauth_cred_t cred,
struct msqid_kernel *msqptr,
struct label *msqlabel,
struct msg *msgptr,
struct label *msglabel
);
/**
@brief Destroy System V message label
@param label The label to be destroyed
Destroy a System V message label. Since the object is
going out of scope, policy modules should free any internal storage
associated with the label so that it may be destroyed.
*/typedefvoidmpo_sysvmsg_label_destroy_t(
struct label *label
);
/**
@brief Initialize System V message label
@param label New label to initialize
Initialize the label for a newly instantiated System V message.
*/typedefvoidmpo_sysvmsg_label_init_t(
struct label *label
);
/**
@brief Clean up a System V message label
@param label The label to be destroyed
Clean up a System V message label. Darwin pre-allocates
messages at system boot time and re-uses them rather than
allocating new ones. Before messages are returned to the "free
pool", policies can cleanup or overwrite any information present in
the label.
*/typedefvoidmpo_sysvmsg_label_recycle_t(
struct label *label
);
/**
@brief Access control check for System V message enqueuing
@param cred Subject credential
@param msgptr The message
@param msglabel The message's label
@param msqkptr The message queue
@param msqlabel The message queue's label
Determine whether the subject identified by the credential can add the
given message to the given message queue.
@return Return 0 if access is granted, otherwise an appropriate value for
errno should be returned.
*/typedefintmpo_sysvmsq_check_enqueue_t(
kauth_cred_t cred,
struct msg *msgptr,
struct label *msglabel,
struct msqid_kernel *msqptr,
struct label *msqlabel
);
/**
@brief Access control check for System V message reception
@param cred The credential of the intended recipient
@param msgptr The message
@param msglabel The message's label
Determine whether the subject identified by the credential can receive
the given message.
@return Return 0 if access is granted, otherwise an appropriate value for
errno should be returned.
*/typedefintmpo_sysvmsq_check_msgrcv_t(
kauth_cred_t cred,
struct msg *msgptr,
struct label *msglabel
);
/**
@brief Access control check for System V message queue removal
@param cred The credential of the caller
@param msgptr The message
@param msglabel The message's label
System V message queues are removed using the msgctl() system call.
The system will iterate over each messsage in the queue, calling this
function for each, to determine whether the caller has the appropriate
credentials.
@return Return 0 if access is granted, otherwise an appropriate value for
errno should be returned.
*/typedefintmpo_sysvmsq_check_msgrmid_t(
kauth_cred_t cred,
struct msg *msgptr,
struct label *msglabel
);
/**
@brief Access control check for msgctl()
@param cred The credential of the caller
@param msqptr The message queue
@param msqlabel The message queue's label
This access check is performed to validate calls to msgctl().
@return Return 0 if access is granted, otherwise an appropriate value for
errno should be returned.
*/typedefintmpo_sysvmsq_check_msqctl_t(
kauth_cred_t cred,
struct msqid_kernel *msqptr,
struct label *msqlabel,
int cmd
);
/**
@brief Access control check to get a System V message queue
@param cred The credential of the caller
@param msqptr The message queue requested
@param msqlabel The message queue's label
On a call to msgget(), if the queue requested already exists,
and it is a public queue, this check will be performed before the
queue's ID is returned to the user.
@return Return 0 if access is granted, otherwise an appropriate value for
errno should be returned.
*/typedefintmpo_sysvmsq_check_msqget_t(
kauth_cred_t cred,
struct msqid_kernel *msqptr,
struct label *msqlabel
);
/**
@brief Access control check to receive a System V message from the given queue
@param cred The credential of the caller
@param msqptr The message queue to receive from
@param msqlabel The message queue's label
On a call to msgrcv(), this check is performed to determine whether the
caller has receive rights on the given queue.
@return Return 0 if access is granted, otherwise an appropriate value for
errno should be returned.
*/typedefintmpo_sysvmsq_check_msqrcv_t(
kauth_cred_t cred,
struct msqid_kernel *msqptr,
struct label *msqlabel
);
/**
@brief Access control check to send a System V message to the given queue
@param cred The credential of the caller
@param msqptr The message queue to send to
@param msqlabel The message queue's label
On a call to msgsnd(), this check is performed to determine whether the
caller has send rights on the given queue.
@return Return 0 if access is granted, otherwise an appropriate value for
errno should be returned.
*/typedefintmpo_sysvmsq_check_msqsnd_t(
kauth_cred_t cred,
struct msqid_kernel *msqptr,
struct label *msqlabel
);
/**
@brief Create a System V message queue label
@param cred Subject credential
@param msqkptr The message queue
@param msqlabel The label of the message queue
*/typedefvoidmpo_sysvmsq_label_associate_t(
kauth_cred_t cred,
struct msqid_kernel *msqptr,
struct label *msqlabel
);
/**
@brief Destroy System V message queue label
@param label The label to be destroyed
Destroy a System V message queue label. Since the object is
going out of scope, policy modules should free any internal storage
associated with the label so that it may be destroyed.
*/typedefvoidmpo_sysvmsq_label_destroy_t(
struct label *label
);
/**
@brief Initialize System V message queue label
@param label New label to initialize
Initialize the label for a newly instantiated System V message queue.
*/typedefvoidmpo_sysvmsq_label_init_t(
struct label *label
);
/**
@brief Clean up a System V message queue label
@param label The label to be destroyed
Clean up a System V message queue label. Darwin pre-allocates
message queues at system boot time and re-uses them rather than
allocating new ones. Before message queues are returned to the "free
pool", policies can cleanup or overwrite any information present in
the label.
*/typedefvoidmpo_sysvmsq_label_recycle_t(
struct label *label
);
/**
@brief Access control check for System V semaphore control operation
@param cred Subject credential
@param semakptr Pointer to semaphore identifier
@param semaklabel Label associated with semaphore
@param cmd Control operation to be performed; see semctl(2)
Determine whether the subject identified by the credential can perform
the operation indicated by cmd on the System V semaphore semakptr.
@return Return 0 if access is granted, otherwise an appropriate value for
errno should be returned.
*/typedefintmpo_sysvsem_check_semctl_t(
kauth_cred_t cred,
struct semid_kernel *semakptr,
struct label *semaklabel,
int cmd
);
/**
@brief Access control check for obtaining a System V semaphore
@param cred Subject credential
@param semakptr Pointer to semaphore identifier
@param semaklabel Label to associate with the semaphore
Determine whether the subject identified by the credential can
obtain a System V semaphore.
@return Return 0 if access is granted, otherwise an appropriate value for
errno should be returned.
*/typedefintmpo_sysvsem_check_semget_t(
kauth_cred_t cred,
struct semid_kernel *semakptr,
struct label *semaklabel
);
/**
@brief Access control check for System V semaphore operations
@param cred Subject credential
@param semakptr Pointer to semaphore identifier
@param semaklabel Label associated with the semaphore
@param accesstype Flags to indicate access (read and/or write)
Determine whether the subject identified by the credential can
perform the operations on the System V semaphore indicated by
semakptr. The accesstype flags hold the maximum set of permissions
from the sem_op array passed to the semop system call. It may
contain SEM_R for read-only operations or SEM_A for read/write
operations.
@return Return 0 if access is granted, otherwise an appropriate value for
errno should be returned.
*/typedefintmpo_sysvsem_check_semop_t(
kauth_cred_t cred,
struct semid_kernel *semakptr,
struct label *semaklabel,
size_t accesstype
);
/**
@brief Create a System V semaphore label
@param cred Subject credential
@param semakptr The semaphore being created
@param semalabel Label to associate with the new semaphore
Label a new System V semaphore. The label was previously
initialized and associated with the semaphore. At this time, an
appropriate initial label value should be assigned to the object and
stored in semalabel.
*/typedefvoidmpo_sysvsem_label_associate_t(
kauth_cred_t cred,
struct semid_kernel *semakptr,
struct label *semalabel
);
/**
@brief Destroy System V semaphore label
@param label The label to be destroyed
Destroy a System V semaphore label. Since the object is
going out of scope, policy modules should free any internal storage
associated with the label so that it may be destroyed.
*/typedefvoidmpo_sysvsem_label_destroy_t(
struct label *label
);
/**
@brief Initialize System V semaphore label
@param label New label to initialize
Initialize the label for a newly instantiated System V semaphore. Sleeping
is permitted.
*/typedefvoidmpo_sysvsem_label_init_t(
struct label *label
);
/**
@brief Clean up a System V semaphore label
@param label The label to be cleaned
Clean up a System V semaphore label. Darwin pre-allocates
semaphores at system boot time and re-uses them rather than
allocating new ones. Before semaphores are returned to the "free
pool", policies can cleanup or overwrite any information present in
the label.
*/typedefvoidmpo_sysvsem_label_recycle_t(
struct label *label
);
/**
@brief Access control check for mapping System V shared memory
@param cred Subject credential
@param shmsegptr Pointer to shared memory segment identifier
@param shmseglabel Label associated with the shared memory segment
@param shmflg shmat flags; see shmat(2)
Determine whether the subject identified by the credential can map
the System V shared memory segment associated with shmsegptr.
@return Return 0 if access is granted, otherwise an appropriate value for
errno should be returned.
*/typedefintmpo_sysvshm_check_shmat_t(
kauth_cred_t cred,
struct shmid_kernel *shmsegptr,
struct label *shmseglabel,
int shmflg
);
/**
@brief Access control check for System V shared memory control operation
@param cred Subject credential
@param shmsegptr Pointer to shared memory segment identifier
@param shmseglabel Label associated with the shared memory segment
@param cmd Control operation to be performed; see shmctl(2)
Determine whether the subject identified by the credential can perform
the operation indicated by cmd on the System V shared memory segment
shmsegptr.
@return Return 0 if access is granted, otherwise an appropriate value for
errno should be returned.
*/typedefintmpo_sysvshm_check_shmctl_t(
kauth_cred_t cred,
struct shmid_kernel *shmsegptr,
struct label *shmseglabel,
int cmd
);
/**
@brief Access control check for unmapping System V shared memory
@param cred Subject credential
@param shmsegptr Pointer to shared memory segment identifier
@param shmseglabel Label associated with the shared memory segment
Determine whether the subject identified by the credential can unmap
the System V shared memory segment associated with shmsegptr.
@return Return 0 if access is granted, otherwise an appropriate value for
errno should be returned.
*/typedefintmpo_sysvshm_check_shmdt_t(
kauth_cred_t cred,
struct shmid_kernel *shmsegptr,
struct label *shmseglabel
);
/**
@brief Access control check obtaining System V shared memory identifier
@param cred Subject credential
@param shmsegptr Pointer to shared memory segment identifier
@param shmseglabel Label associated with the shared memory segment
@param shmflg shmget flags; see shmget(2)
Determine whether the subject identified by the credential can get
the System V shared memory segment address.
@return Return 0 if access is granted, otherwise an appropriate value for
errno should be returned.
*/typedefintmpo_sysvshm_check_shmget_t(
kauth_cred_t cred,
struct shmid_kernel *shmsegptr,
struct label *shmseglabel,
int shmflg
);
/**
@brief Create a System V shared memory region label
@param cred Subject credential
@param shmsegptr The shared memory region being created
@param shmlabel Label to associate with the new shared memory region
Label a new System V shared memory region. The label was previously
initialized and associated with the shared memory region. At this
time, an appropriate initial label value should be assigned to the
object and stored in shmlabel.
*/typedefvoidmpo_sysvshm_label_associate_t(
kauth_cred_t cred,
struct shmid_kernel *shmsegptr,
struct label *shmlabel
);
/**
@brief Destroy System V shared memory label
@param label The label to be destroyed
Destroy a System V shared memory region label. Since the
object is going out of scope, policy modules should free any
internal storage associated with the label so that it may be
destroyed.
*/typedefvoidmpo_sysvshm_label_destroy_t(
struct label *label
);
/**
@brief Initialize System V Shared Memory region label
@param label New label to initialize
Initialize the label for a newly instantiated System V Shared Memory
region. Sleeping is permitted.
*/typedefvoidmpo_sysvshm_label_init_t(
struct label *label
);
/**
@brief Clean up a System V Share Memory Region label
@param shmlabel The label to be cleaned
Clean up a System V Shared Memory Region label. Darwin
pre-allocates these objects at system boot time and re-uses them
rather than allocating new ones. Before the memory regions are
returned to the "free pool", policies can cleanup or overwrite any
information present in the label.
*/typedefvoidmpo_sysvshm_label_recycle_t(
struct label *shmlabel
);
/**
@brief Access control check for getting a process's task name
@param cred Subject credential
@param proc Object process
Determine whether the subject identified by the credential can get
the passed process's task name port.
This call is used by the task_name_for_pid(2) API.
@return Return 0 if access is granted, otherwise an appropriate value for
errno should be returned. Suggested failure: EACCES for label mismatch,
EPERM for lack of privilege, or ESRCH to hide visibility of the target.
*/typedefintmpo_proc_check_get_task_name_t(
kauth_cred_t cred,
struct proc *p
);
/**
@brief Access control check for getting a process's task port
@param cred Subject credential
@param proc Object process
Determine whether the subject identified by the credential can get
the passed process's task control port.
This call is used by the task_for_pid(2) API.
@return Return 0 if access is granted, otherwise an appropriate value for
errno should be returned. Suggested failure: EACCES for label mismatch,
EPERM for lack of privilege, or ESRCH to hide visibility of the target.
*/typedefintmpo_proc_check_get_task_t(
kauth_cred_t cred,
struct proc *p
);
/**
@brief Privilege check for a process to run invalid
@param proc Object process
Determine whether the process may execute even though the system determined
that it is untrusted (eg unidentified / modified code).
@return Return 0 if access is granted, otherwise an appropriate value for
errno should be returned.
*/typedefintmac_proc_check_run_cs_invalid_t(
struct proc *p
);
/**
@brief Assign a label to a new kernelspace Mach task
@param kproc New task
@param tasklabel Label for new task
@param portlabel Label for new task port
@see mpo_cred_label_associate_kernel_t
Assign labels to a new kernel task and its task port. Both the task and
task port labels should be specified. Both new labels are initialized.
If there is an associated BSD process structure, it will be labelled
with calls to mpo_cred_label_associate_kernel.
*/typedefvoidmpo_task_label_associate_kernel_t(
struct task *kproc,
struct label *tasklabel,
struct label *portlabel
);
/**
@brief Assign a label to a new (userspace) Mach task
@param parent Parent task
@param child New (child) task
@param parentlabel Label of parent task
@param childlabel Label for new task
@param childportlabel Label for new task's task port
Assign labels to a new task and its task port. Both the task and task port
labels should be specified. Both new labels are initialized. If the task
will have an associated BSD process, that information will be made available
by the task_label_update and port_label_update_cred entry points.
*/typedefvoidmpo_task_label_associate_t(
struct task *parent,
struct task *child,
struct label *parentlabel,
struct label *childlabel,
struct label *childportlabel
);
/**
@brief Copy a Mach task label
@param src Source task label
@param dest Destination task label
Copy the Mach task label information from src to dest. This is used
when duplicating label handles to implement copy-on-write semantics.
*/typedefvoidmpo_task_label_copy_t(
struct label *src,
struct label *dest
);
/**
@brief Destroy Mach task label
@param label The label to be destroyed
Destroy a Mach task label. Since the object is going out of
scope, policy modules should free any internal storage associated
with the label so that it may be destroyed.
*/typedefvoidmpo_task_label_destroy_t(
struct label *label
);
/**
@brief Externalize a task label
@param label Label to be externalized
@param element_name Name of the label namespace for which labels should be
externalized
@param sb String buffer to be filled with a text representation of the label
Produce an external representation of the label on a task. An
externalized label consists of a text representation of the label
contents that can be used with user applications. Policy-agnostic
user space tools will display this externalized version.
@return 0 on success, return non-zero if an error occurs while
externalizing the label data.
*/typedefintmpo_task_label_externalize_t(
struct label *label,
char *element_name,
struct sbuf *sb
);
/**
@brief Initialize Mach task label
@param label New label to initialize
Initialize the label for a newly instantiated Mach task. Sleeping
is permitted.
*/typedefvoidmpo_task_label_init_t(
struct label *label
);
/**
@brief Internalize a task label
@param label Label to be internalized
@param element_name Name of the label namespace for which the label should
be internalized
@param element_data Text data to be internalized
Produce a task label from an external representation. An
externalized label consists of a text representation of the label
contents that can be used with user applications. Policy-agnostic
user space tools will forward text version to the kernel for
processing by individual policy modules.
The policy's internalize entry points will be called only if the
policy has registered interest in the label namespace.
@return 0 on success, Otherwise, return non-zero if an error occurs
while internalizing the label data.
*/typedefintmpo_task_label_internalize_t(
struct label *label,
char *element_name,
char *element_data
);
/**
@brief Update a Mach task label
@param cred User credential label to be used as the source
@param task Mach task label to be used as the destination
@see mpo_cred_label_update_t
@see mpo_cred_label_update_execve_t
Update the label on a Mach task, using the supplied user credential
label. When a mac_cred_label_update_execve or a mac_cred_label_update operation
causes the label on a user credential to change, the Mach task label
also needs to be updated to reflect the change. Both labels are
already valid (initialized and created).
@warning XXX We may change the name of this entry point in a future
version of the MAC framework.
*/typedefvoidmpo_task_label_update_t(
struct label *cred,
struct label *task
);
/**
@brief Check vnode access
@param cred Subject credential
@param vp Object vnode
@param label Label for vp
@param acc_mode access(2) flags
Determine how invocations of access(2) and related calls by the
subject identified by the credential should return when performed
on the passed vnode using the passed access flags. This should
generally be implemented using the same semantics used in
mpo_vnode_check_open.
@return Return 0 if access is granted, otherwise an appropriate value for
errno should be returned. Suggested failure: EACCES for label mismatch or
EPERM for lack of privilege.
*/typedefintmpo_vnode_check_access_t(
kauth_cred_t cred,
struct vnode *vp,
struct label *label,
int acc_mode
);
/**
@brief Access control check for changing working directory
@param cred Subject credential
@param dvp Object; vnode to chdir(2) into
@param dlabel Policy label for dvp
Determine whether the subject identified by the credential can change
the process working directory to the passed vnode.
@return Return 0 if access is granted, otherwise an appropriate value for
errno should be returned. Suggested failure: EACCES for label mismatch or
EPERM for lack of privilege.
*/typedefintmpo_vnode_check_chdir_t(
kauth_cred_t cred,
struct vnode *dvp,
struct label *dlabel
);
/**
@brief Access control check for changing root directory
@param cred Subject credential
@param dvp Directory vnode
@param dlabel Policy label associated with dvp
@param cnp Component name for dvp
Determine whether the subject identified by the credential should be
allowed to chroot(2) into the specified directory (dvp).
@return In the event of an error, an appropriate value for errno
should be returned, otherwise return 0 upon success.
*/typedefintmpo_vnode_check_chroot_t(
kauth_cred_t cred,
struct vnode *dvp,
struct label *dlabel,
struct componentname *cnp
);
/**
@brief Access control check for creating vnode
@param cred Subject credential
@param dvp Directory vnode
@param dlabel Policy label for dvp
@param cnp Component name for dvp
@param vap vnode attributes for vap
Determine whether the subject identified by the credential can create
a vnode with the passed parent directory, passed name information,
and passed attribute information. This call may be made in a number of
situations, including as a result of calls to open(2) with O_CREAT,
mknod(2), mkfifo(2), and others.
@return Return 0 if access is granted, otherwise an appropriate value for
errno should be returned. Suggested failure: EACCES for label mismatch or
EPERM for lack of privilege.
*/typedefintmpo_vnode_check_create_t(
kauth_cred_t cred,
struct vnode *dvp,
struct label *dlabel,
struct componentname *cnp,
struct vnode_attr *vap
);
/**
@brief Access control check for deleting extended attribute
@param cred Subject credential
@param vp Object vnode
@param vlabel Label associated with vp
@param name Extended attribute name
Determine whether the subject identified by the credential can delete
the extended attribute from the passed vnode.
@return Return 0 if access is granted, otherwise an appropriate value for
errno should be returned. Suggested failure: EACCES for label mismatch or
EPERM for lack of privilege.
*/typedefintmpo_vnode_check_deleteextattr_t(
kauth_cred_t cred,
struct vnode *vp,
struct label *vlabel,
constchar *name
);
/**
@brief Access control check for exchanging file data
@param cred Subject credential
@param v1 vnode 1 to swap
@param vl1 Policy label for v1
@param v2 vnode 2 to swap
@param vl2 Policy label for v2
Determine whether the subject identified by the credential can swap the data
in the two supplied vnodes.
@return Return 0 if access is granted, otherwise an appropriate value for
errno should be returned. Suggested failure: EACCES for label mismatch or
EPERM for lack of privilege.
*/typedefintmpo_vnode_check_exchangedata_t(
kauth_cred_t cred,
struct vnode *v1,
struct label *vl1,
struct vnode *v2,
struct label *vl2
);
/**
@brief Access control check for executing the vnode
@param cred Subject credential
@param vp Object vnode to execute
@param label Policy label for vp
@param execlabel Userspace provided execution label
@param cnp Component name for file being executed
Determine whether the subject identified by the credential can execute
the passed vnode. Determination of execute privilege is made separately
from decisions about any process label transitioning event.
The final label, execlabel, corresponds to a label supplied by a
user space application through the use of the mac_execve system call.
This label will be NULL if the user application uses the the vendor
execve(2) call instead of the MAC Framework mac_execve() call.
@return Return 0 if access is granted, otherwise an appropriate value for
errno should be returned. Suggested failure: EACCES for label mismatch or
EPERM for lack of privilege.
*/typedefintmpo_vnode_check_exec_t(
kauth_cred_t cred,
struct vnode *vp,
struct label *label,
struct label *execlabel, /* NULLOK */struct componentname *cnp,
u_int *csflags
);
/**
@brief Access control check for fsgetpath
@param cred Subject credential
@param vp Vnode for which a path will be returned
@param label Label associated with the vnode
Determine whether the subject identified by the credential can get the path
of the given vnode with fsgetpath.
@return Return 0 if access is granted, otherwise an appropriate value for
errno should be returned.
*/typedefintmpo_vnode_check_fsgetpath_t(
kauth_cred_t cred,
struct vnode *vp,
struct label *label
);
/**
@brief Access control check after determining the code directory hash
*/typedefintmpo_vnode_check_signature_t(struct vnode *vp, struct label *label,
unsignedchar *sha1, void *signature,
int size);
/**
@brief Access control check for retrieving file attributes
@param cred Subject credential
@param vp Object vnode
@param vlabel Policy label for vp
@param alist List of attributes to retrieve
Determine whether the subject identified by the credential can read
various attributes of the specified vnode, or the filesystem or volume on
which that vnode resides. See <sys/attr.h> for definitions of the
attributes.
@return Return 0 if access is granted, otherwise an appropriate value for
errno should be returned. Suggested failure: EACCES for label mismatch or
EPERM for lack of privilege. Access control covers all attributes requested
with this call; the security policy is not permitted to change the set of
attributes requested.
*/typedefintmpo_vnode_check_getattrlist_t(
kauth_cred_t cred,
struct vnode *vp,
struct label *vlabel,
struct attrlist *alist
);
/**
@brief Access control check for retrieving an extended attribute
@param cred Subject credential
@param vp Object vnode
@param label Policy label for vp
@param name Extended attribute name
@param uio I/O structure pointer
Determine whether the subject identified by the credential can retrieve
the extended attribute from the passed vnode. The uio parameter
will be NULL when the getxattr(2) call has been made with a NULL data
value; this is done to request the size of the data only.
@return Return 0 if access is granted, otherwise an appropriate value for
errno should be returned. Suggested failure: EACCES for label mismatch or
EPERM for lack of privilege.
*/typedefintmpo_vnode_check_getextattr_t(
kauth_cred_t cred,
struct vnode *vp,
struct label *label, /* NULLOK */constchar *name,
struct uio *uio /* NULLOK */
);
/**
@brief Access control check for ioctl
@param cred Subject credential
@param vp Object vnode
@param label Policy label for vp
@param com Device-dependent request code; see ioctl(2)
Determine whether the subject identified by the credential can perform
the ioctl operation indicated by com.
@warning Since ioctl data is opaque from the standpoint of the MAC
framework, and since ioctls can affect many aspects of system
operation, policies must exercise extreme care when implementing
access control checks.
@return Return 0 if access is granted, otherwise an appropriate value for
errno should be returned.
*/typedefintmpo_vnode_check_ioctl_t(
kauth_cred_t cred,
struct vnode *vp,
struct label *label,
unsignedint cmd
);
/**
@brief Access control check for vnode kqfilter
@param cred Subject credential
@param kn Object knote
@param vp Object vnode
@param label Policy label for vp
Determine whether the subject identified by the credential can
receive the knote on the passed vnode.
@return Return 0 if access if granted, otherwise an appropriate
value for errno should be returned.
*/typedefintmpo_vnode_check_kqfilter_t(
kauth_cred_t active_cred,
kauth_cred_t file_cred, /* NULLOK */struct knote *kn,
struct vnode *vp,
struct label *label
);
/**
@brief Access control check for relabel
@param cred Subject credential
@param vp Object vnode
@param vnodelabel Existing policy label for vp
@param newlabel Policy label update to later be applied to vp
@see mpo_relable_vnode_t
Determine whether the subject identified by the credential can relabel
the passed vnode to the passed label update. If all policies permit
the label change, the actual relabel entry point (mpo_vnode_label_update)
will follow.
@return Return 0 if access is granted, otherwise an appropriate value for
errno should be returned.
*/typedefintmpo_vnode_check_label_update_t(
struct ucred *cred,
struct vnode *vp,
struct label *vnodelabel,
struct label *newlabel
);
/**
@brief Access control check for creating link
@param cred Subject credential
@param dvp Directory vnode
@param dlabel Policy label associated with dvp
@param vp Link destination vnode
@param label Policy label associated with vp
@param cnp Component name for the link being created
Determine whether the subject identified by the credential should be
allowed to create a link to the vnode vp with the name specified by cnp.
@return Return 0 if access is granted, otherwise an appropriate value for
errno should be returned.
*/typedefintmpo_vnode_check_link_t(
kauth_cred_t cred,
struct vnode *dvp,
struct label *dlabel,
struct vnode *vp,
struct label *label,
struct componentname *cnp
);
/**
@brief Access control check for listing extended attributes
@param cred Subject credential
@param vp Object vnode
@param vlabel Policy label associated with vp
Determine whether the subject identified by the credential can retrieve
a list of named extended attributes from a vnode.
@return Return 0 if access is granted, otherwise an appropriate value for
errno should be returned.
*/typedefintmpo_vnode_check_listextattr_t(
kauth_cred_t cred,
struct vnode *vp,
struct label *vlabel
);
/**
@brief Access control check for lookup
@param cred Subject credential
@param dvp Object vnode
@param dlabel Policy label for dvp
@param cnp Component name being looked up
Determine whether the subject identified by the credential can perform
a lookup in the passed directory vnode for the passed name (cnp).
@return Return 0 if access is granted, otherwise an appropriate value for
errno should be returned. Suggested failure: EACCES for label mismatch or
EPERM for lack of privilege.
*/typedefintmpo_vnode_check_lookup_t(
kauth_cred_t cred,
struct vnode *dvp,
struct label *dlabel,
struct componentname *cnp
);
/**
@brief Access control check for open
@param cred Subject credential
@param vp Object vnode
@param label Policy label associated with vp
@param acc_mode open(2) access mode
Determine whether the subject identified by the credential can perform
an open operation on the passed vnode with the passed access mode.
@return Return 0 if access is granted, otherwise an appropriate value for
errno should be returned. Suggested failure: EACCES for label mismatch or
EPERM for lack of privilege.
*/typedefintmpo_vnode_check_open_t(
kauth_cred_t cred,
struct vnode *vp,
struct label *label,
int acc_mode
);
/**
@brief Access control check for read
@param active_cred Subject credential
@param file_cred Credential associated with the struct fileproc
@param vp Object vnode
@param label Policy label for vp
Determine whether the subject identified by the credential can perform
a read operation on the passed vnode. The active_cred hold the credentials
of the subject performing the operation, and file_cred holds the
credentials of the subject that originally opened the file.
@return Return 0 if access is granted, otherwise an appropriate value for
errno should be returned. Suggested failure: EACCES for label mismatch or
EPERM for lack of privilege.
*/typedefintmpo_vnode_check_read_t(
kauth_cred_t active_cred, /* SUBJECT */
kauth_cred_t file_cred, /* NULLOK */struct vnode *vp, /* OBJECT */struct label *label /* LABEL */
);
/**
@brief Access control check for read directory
@param cred Subject credential
@param dvp Object directory vnode
@param dlabel Policy label for dvp
Determine whether the subject identified by the credential can
perform a readdir operation on the passed directory vnode.
@return Return 0 if access is granted, otherwise an appropriate value for
errno should be returned. Suggested failure: EACCES for label mismatch or
EPERM for lack of privilege.
*/typedefintmpo_vnode_check_readdir_t(
kauth_cred_t cred, /* SUBJECT */struct vnode *dvp, /* OBJECT */struct label *dlabel /* LABEL */
);
/**
@brief Access control check for read link
@param cred Subject credential
@param vp Object vnode
@param label Policy label for vp
Determine whether the subject identified by the credential can perform
a readlink operation on the passed symlink vnode. This call can be made
in a number of situations, including an explicit readlink call by the
user process, or as a result of an implicit readlink during a name
lookup by the process.
@return Return 0 if access is granted, otherwise an appropriate value for
errno should be returned. Suggested failure: EACCES for label mismatch or
EPERM for lack of privilege.
*/typedefintmpo_vnode_check_readlink_t(
kauth_cred_t cred,
struct vnode *vp,
struct label *label
);
/**
@brief Access control check for rename from
@param cred Subject credential
@param dvp Directory vnode
@param dlabel Policy label associated with dvp
@param vp vnode to be renamed
@param label Policy label associated with vp
@param cnp Component name for vp
@see mpo_vnode_check_rename_to_t
Determine whether the subject identified by the credential should be
allowed to rename the vnode vp to something else.
Due to VFS locking constraints (to make sure proper vnode locks are
held during this entry point), the vnode relabel checks had to be
split into two parts: relabel_from and relabel to.
@return Return 0 if access is granted, otherwise an appropriate value for
errno should be returned.
*/typedefintmpo_vnode_check_rename_from_t(
kauth_cred_t cred,
struct vnode *dvp,
struct label *dlabel,
struct vnode *vp,
struct label *label,
struct componentname *cnp
);
/**
@brief Access control check for rename to
@param cred Subject credential
@param dvp Directory vnode
@param dlabel Policy label associated with dvp
@param vp Overwritten vnode
@param label Policy label associated with vp
@param samedir Boolean; 1 if the source and destination directories are the same
@param cnp Destination component name
@see mpo_vnode_check_rename_from_t
Determine whether the subject identified by the credential should be
allowed to rename to the vnode vp, into the directory dvp, or to the
name represented by cnp. If there is no existing file to overwrite,
vp and label will be NULL.
Due to VFS locking constraints (to make sure proper vnode locks are
held during this entry point), the vnode relabel checks had to be
split into two parts: relabel_from and relabel to.
@return Return 0 if access is granted, otherwise an appropriate value for
errno should be returned.
*/typedefintmpo_vnode_check_rename_to_t(
kauth_cred_t cred,
struct vnode *dvp,
struct label *dlabel,
struct vnode *vp, /* NULLOK */struct label *label, /* NULLOK */int samedir,
struct componentname *cnp
);
/**
@brief Access control check for revoke
@param cred Subject credential
@param vp Object vnode
@param label Policy label for vp
Determine whether the subject identified by the credential can revoke
access to the passed vnode.
@return Return 0 if access is granted, otherwise an appropriate value for
errno should be returned. Suggested failure: EACCES for label mismatch or
EPERM for lack of privilege.
*/typedefintmpo_vnode_check_revoke_t(
kauth_cred_t cred,
struct vnode *vp,
struct label *label
);
/**
@brief Access control check for searchfs
@param cred Subject credential
@param vp Object vnode
@param vlabel Policy label for vp
@param alist List of attributes used as search criteria
Determine whether the subject identified by the credential can search the
vnode using the searchfs system call.
@return Return 0 if access is granted, otherwise an appropriate value for
errno should be returned.
*/typedefintmpo_vnode_check_searchfs_t(
kauth_cred_t cred,
struct vnode *vp,
struct label *vlabel,
struct attrlist *alist
);
/**
@brief Access control check for select
@param cred Subject credential
@param vp Object vnode
@param label Policy label for vp
@param which The operation selected on: FREAD or FWRITE
Determine whether the subject identified by the credential can select
the vnode.
@return Return 0 if access is granted, otherwise an appropriate value for
errno should be returned.
*/typedefintmpo_vnode_check_select_t(
kauth_cred_t cred,
struct vnode *vp,
struct label *label,
int which
);
/**
@brief Access control check for setting file attributes
@param cred Subject credential
@param vp Object vnode
@param vlabel Policy label for vp
@param alist List of attributes to set
Determine whether the subject identified by the credential can set
various attributes of the specified vnode, or the filesystem or volume on
which that vnode resides. See <sys/attr.h> for definitions of the
attributes.
@return Return 0 if access is granted, otherwise an appropriate value for
errno should be returned. Suggested failure: EACCES for label mismatch or
EPERM for lack of privilege. Access control covers all attributes requested
with this call.
*/typedefintmpo_vnode_check_setattrlist_t(
kauth_cred_t cred,
struct vnode *vp,
struct label *vlabel,
struct attrlist *alist
);
/**
@brief Access control check for setting extended attribute
@param cred Subject credential
@param vp Object vnode
@param label Policy label for vp
@param name Extended attribute name
@param uio I/O structure pointer
Determine whether the subject identified by the credential can set the
extended attribute of passed name and passed namespace on the passed
vnode. Policies implementing security labels backed into extended
attributes may want to provide additional protections for those
attributes. Additionally, policies should avoid making decisions based
on the data referenced from uio, as there is a potential race condition
between this check and the actual operation. The uio may also be NULL
if a delete operation is being performed.
@return Return 0 if access is granted, otherwise an appropriate value for
errno should be returned. Suggested failure: EACCES for label mismatch or
EPERM for lack of privilege.
*/typedefintmpo_vnode_check_setextattr_t(
kauth_cred_t cred,
struct vnode *vp,
struct label *label,
constchar *name,
struct uio *uio
);
/**
@brief Access control check for setting flags
@param cred Subject credential
@param vp Object vnode
@param label Policy label for vp
@param flags File flags; see chflags(2)
Determine whether the subject identified by the credential can set
the passed flags on the passed vnode.
@return Return 0 if access is granted, otherwise an appropriate value for
errno should be returned. Suggested failure: EACCES for label mismatch or
EPERM for lack of privilege.
*/typedefintmpo_vnode_check_setflags_t(
kauth_cred_t cred,
struct vnode *vp,
struct label *label,
u_long flags
);
/**
@brief Access control check for setting mode
@param cred Subject credential
@param vp Object vnode
@param label Policy label for vp
@param mode File mode; see chmod(2)
Determine whether the subject identified by the credential can set
the passed mode on the passed vnode.
@return Return 0 if access is granted, otherwise an appropriate value for
errno should be returned. Suggested failure: EACCES for label mismatch or
EPERM for lack of privilege.
*/typedefintmpo_vnode_check_setmode_t(
kauth_cred_t cred,
struct vnode *vp,
struct label *label,
mode_t mode
);
/**
@brief Access control check for setting uid and gid
@param cred Subject credential
@param vp Object vnode
@param label Policy label for vp
@param uid User ID
@param gid Group ID
Determine whether the subject identified by the credential can set
the passed uid and passed gid as file uid and file gid on the passed
vnode. The IDs may be set to (-1) to request no update.
@return Return 0 if access is granted, otherwise an appropriate value for
errno should be returned. Suggested failure: EACCES for label mismatch or
EPERM for lack of privilege.
*/typedefintmpo_vnode_check_setowner_t(
kauth_cred_t cred,
struct vnode *vp,
struct label *label,
uid_t uid,
gid_t gid
);
/**
@brief Access control check for setting timestamps
@param cred Subject credential
@param vp Object vnode
@param label Policy label for vp
@param atime Access time; see utimes(2)
@param mtime Modification time; see utimes(2)
Determine whether the subject identified by the credential can set
the passed access timestamps on the passed vnode.
@return Return 0 if access is granted, otherwise an appropriate value for
errno should be returned. Suggested failure: EACCES for label mismatch or
EPERM for lack of privilege.
*/typedefintmpo_vnode_check_setutimes_t(
kauth_cred_t cred,
struct vnode *vp,
struct label *label,
struct timespec atime,
struct timespec mtime
);
/**
@brief Access control check for stat
@param active_cred Subject credential
@param file_cred Credential associated with the struct fileproc
@param vp Object vnode
@param label Policy label for vp
Determine whether the subject identified by the credential can stat
the passed vnode. See stat(2) for more information. The active_cred
hold the credentials of the subject performing the operation, and
file_cred holds the credentials of the subject that originally
opened the file.
@return Return 0 if access is granted, otherwise an appropriate value for
errno should be returned. Suggested failure: EACCES for label mismatch or
EPERM for lack of privilege.
*/typedefintmpo_vnode_check_stat_t(
struct ucred *active_cred,
struct ucred *file_cred, /* NULLOK */struct vnode *vp,
struct label *label
);
/**
@brief Access control check for truncate/ftruncate
@param active_cred Subject credential
@param file_cred Credential associated with the struct fileproc
@param vp Object vnode
@param label Policy label for vp
Determine whether the subject identified by the credential can
perform a truncate operation on the passed vnode. The active_cred hold
the credentials of the subject performing the operation, and
file_cred holds the credentials of the subject that originally
opened the file.
@return Return 0 if access is granted, otherwise an appropriate value for
errno should be returned. Suggested failure: EACCES for label mismatch or
EPERM for lack of privilege.
*/typedefintmpo_vnode_check_truncate_t(
kauth_cred_t active_cred,
kauth_cred_t file_cred, /* NULLOK */struct vnode *vp,
struct label *label
);
/**
@brief Access control check for binding UNIX domain socket
@param cred Subject credential
@param dvp Directory vnode
@param dlabel Policy label for dvp
@param cnp Component name for dvp
@param vap vnode attributes for vap
Determine whether the subject identified by the credential can perform a
bind operation on a UNIX domain socket with the passed parent directory,
passed name information, and passed attribute information.
@return Return 0 if access is granted, otherwise an appropriate value for
errno should be returned. Suggested failure: EACCES for label mismatch or
EPERM for lack of privilege.
*/typedefintmpo_vnode_check_uipc_bind_t(
kauth_cred_t cred,
struct vnode *dvp,
struct label *dlabel,
struct componentname *cnp,
struct vnode_attr *vap
);
/**
@brief Access control check for connecting UNIX domain socket
@param cred Subject credential
@param vp Object vnode
@param label Policy label associated with vp
Determine whether the subject identified by the credential can perform a
connect operation on the passed UNIX domain socket vnode.
@return Return 0 if access is granted, otherwise an appropriate value for
errno should be returned. Suggested failure: EACCES for label mismatch or
EPERM for lack of privilege.
*/typedefintmpo_vnode_check_uipc_connect_t(
kauth_cred_t cred,
struct vnode *vp,
struct label *label
);
/**
@brief Access control check for deleting vnode
@param cred Subject credential
@param dvp Parent directory vnode
@param dlabel Policy label for dvp
@param vp Object vnode to delete
@param label Policy label for vp
@param cnp Component name for vp
@see mpo_check_rename_to_t
Determine whether the subject identified by the credential can delete
a vnode from the passed parent directory and passed name information.
This call may be made in a number of situations, including as a
results of calls to unlink(2) and rmdir(2). Policies implementing
this entry point should also implement mpo_check_rename_to to
authorize deletion of objects as a result of being the target of a rename.
@return Return 0 if access is granted, otherwise an appropriate value for
errno should be returned. Suggested failure: EACCES for label mismatch or
EPERM for lack of privilege.
*/typedefintmpo_vnode_check_unlink_t(
kauth_cred_t cred,
struct vnode *dvp,
struct label *dlabel,
struct vnode *vp,
struct label *label,
struct componentname *cnp
);
/**
@brief Access control check for write
@param active_cred Subject credential
@param file_cred Credential associated with the struct fileproc
@param vp Object vnode
@param label Policy label for vp
Determine whether the subject identified by the credential can
perform a write operation on the passed vnode. The active_cred hold
the credentials of the subject performing the operation, and
file_cred holds the credentials of the subject that originally
opened the file.
@return Return 0 if access is granted, otherwise an appropriate value for
errno should be returned. Suggested failure: EACCES for label mismatch or
EPERM for lack of privilege.
*/typedefintmpo_vnode_check_write_t(
kauth_cred_t active_cred,
kauth_cred_t file_cred, /* NULLOK */struct vnode *vp,
struct label *label
);
/**
@brief Associate a vnode with a devfs entry
@param mp Devfs mount point
@param mntlabel Devfs mount point label
@param de Devfs directory entry
@param delabel Label associated with de
@param vp vnode associated with de
@param vlabel Label associated with vp
Fill in the label (vlabel) for a newly created devfs vnode. The
label is typically derived from the label on the devfs directory
entry or the label on the filesystem, supplied as parameters.
*/typedefvoidmpo_vnode_label_associate_devfs_t(
struct mount *mp,
struct label *mntlabel,
struct devnode *de,
struct label *delabel,
struct vnode *vp,
struct label *vlabel
);
/**
@brief Associate a label with a vnode
@param mp File system mount point
@param mntlabel File system mount point label
@param vp Vnode to label
@param vlabel Label associated with vp
Attempt to retrieve label information for the vnode, vp, from the
file system extended attribute store. The label should be stored in
the supplied vlabel parameter. If a policy cannot retrieve an
extended attribute, sometimes it is acceptible to fallback to using
the mntlabel.
If the policy requires vnodes to have a valid label elsewhere it
MUST NOT return other than temporary errors, and must always provide
a valid label of some sort. Returning an error will cause vnode
labeling to be retried at a later access. Failure to handle policy
centric errors internally (corrupt labels etc.) will result in
inaccessible files.
@return In the event of an error, an appropriate value for errno
should be returned, otherwise return 0 upon success.
*/typedefintmpo_vnode_label_associate_extattr_t(
struct mount *mp,
struct label *mntlabel,
struct vnode *vp,
struct label *vlabel
);
/**
@brief Associate a file label with a vnode
@param cred User credential
@param mp Fdesc mount point
@param mntlabel Fdesc mount point label
@param fg Fileglob structure
@param label Policy label for fg
@param vp Vnode to label
@param vlabel Label associated with vp
Associate label information for the vnode, vp, with the label of
the open file descriptor described by fg.
The label should be stored in the supplied vlabel parameter.
*/typedefvoidmpo_vnode_label_associate_file_t(
struct ucred *cred,
struct mount *mp,
struct label *mntlabel,
struct fileglob *fg,
struct label *label,
struct vnode *vp,
struct label *vlabel
);
/**
@brief Associate a pipe label with a vnode
@param cred User credential for the process that opened the pipe
@param cpipe Pipe structure
@param pipelabel Label associated with pipe
@param vp Vnode to label
@param vlabel Label associated with vp
Associate label information for the vnode, vp, with the label of
the pipe described by the pipe structure cpipe.
The label should be stored in the supplied vlabel parameter.
*/typedefvoidmpo_vnode_label_associate_pipe_t(
struct ucred *cred,
struct pipe *cpipe,
struct label *pipelabel,
struct vnode *vp,
struct label *vlabel
);
/**
@brief Associate a POSIX semaphore label with a vnode
@param cred User credential for the process that create psem
@param psem POSIX semaphore structure
@param psemlabel Label associated with psem
@param vp Vnode to label
@param vlabel Label associated with vp
Associate label information for the vnode, vp, with the label of
the POSIX semaphore described by psem.
The label should be stored in the supplied vlabel parameter.
*/typedefvoidmpo_vnode_label_associate_posixsem_t(
struct ucred *cred,
struct pseminfo *psem,
struct label *psemlabel,
struct vnode *vp,
struct label *vlabel
);
/**
@brief Associate a POSIX shared memory label with a vnode
@param cred User credential for the process that created pshm
@param pshm POSIX shared memory structure
@param pshmlabel Label associated with pshm
@param vp Vnode to label
@param vlabel Label associated with vp
Associate label information for the vnode, vp, with the label of
the POSIX shared memory region described by pshm.
The label should be stored in the supplied vlabel parameter.
*/typedefvoidmpo_vnode_label_associate_posixshm_t(
struct ucred *cred,
struct pshminfo *pshm,
struct label *pshmlabel,
struct vnode *vp,
struct label *vlabel
);
/**
@brief Associate a label with a vnode
@param mp File system mount point
@param mntlabel File system mount point label
@param vp Vnode to label
@param vlabel Label associated with vp
On non-multilabel file systems, set the label for a vnode. The
label will most likely be based on the file system label.
*/typedefvoidmpo_vnode_label_associate_singlelabel_t(
struct mount *mp,
struct label *mntlabel,
struct vnode *vp,
struct label *vlabel
);
/**
@brief Associate a socket label with a vnode
@param cred User credential for the process that opened the socket
@param so Socket structure
@param solabel Label associated with so
@param vp Vnode to label
@param vlabel Label associated with vp
Associate label information for the vnode, vp, with the label of
the open socket described by the socket structure so.
The label should be stored in the supplied vlabel parameter.
*/typedefvoidmpo_vnode_label_associate_socket_t(
kauth_cred_t cred,
socket_t so,
struct label *solabel,
struct vnode *vp,
struct label *vlabel
);
/**
@brief Copy a vnode label
@param src Source vnode label
@param dest Destination vnode label
Copy the vnode label information from src to dest. On Darwin, this
is currently only necessary when executing interpreted scripts, but
will later be used if vnode label externalization cannot be an
atomic operation.
*/typedefvoidmpo_vnode_label_copy_t(
struct label *src,
struct label *dest
);
/**
@brief Destroy vnode label
@param label The label to be destroyed
Destroy a vnode label. Since the object is going out of scope,
policy modules should free any internal storage associated with the
label so that it may be destroyed.
*/typedefvoidmpo_vnode_label_destroy_t(
struct label *label
);
/**
@brief Externalize a vnode label for auditing
@param label Label to be externalized
@param element_name Name of the label namespace for which labels should be
externalized
@param sb String buffer to be filled with a text representation of the label
Produce an external representation of the label on a vnode suitable for
inclusion in an audit record. An externalized label consists of a text
representation of the label contents that will be added to the audit record
as part of a text token. Policy-agnostic user space tools will display
this externalized version.
@return 0 on success, return non-zero if an error occurs while
externalizing the label data.
*/typedefintmpo_vnode_label_externalize_audit_t(
struct label *label,
char *element_name,
struct sbuf *sb
);
/**
@brief Externalize a vnode label
@param label Label to be externalized
@param element_name Name of the label namespace for which labels should be
externalized
@param sb String buffer to be filled with a text representation of the label
Produce an external representation of the label on a vnode. An
externalized label consists of a text representation of the label
contents that can be used with user applications. Policy-agnostic
user space tools will display this externalized version.
@return 0 on success, return non-zero if an error occurs while
externalizing the label data.
*/typedefintmpo_vnode_label_externalize_t(
struct label *label,
char *element_name,
struct sbuf *sb
);
/**
@brief Initialize vnode label
@param label New label to initialize
Initialize label storage for use with a newly instantiated vnode, or
for temporary storage associated with the copying in or out of a
vnode label. While it is necessary to allocate space for a
kernel-resident vnode label, it is not yet necessary to link this vnode
with persistent label storage facilities, such as extended attributes.
Sleeping is permitted.
*/typedefvoidmpo_vnode_label_init_t(
struct label *label
);
/**
@brief Internalize a vnode label
@param label Label to be internalized
@param element_name Name of the label namespace for which the label should
be internalized
@param element_data Text data to be internalized
Produce a vnode label from an external representation. An
externalized label consists of a text representation of the label
contents that can be used with user applications. Policy-agnostic
user space tools will forward text version to the kernel for
processing by individual policy modules.
The policy's internalize entry points will be called only if the
policy has registered interest in the label namespace.
@return 0 on success, Otherwise, return non-zero if an error occurs
while internalizing the label data.
*/typedefintmpo_vnode_label_internalize_t(
struct label *label,
char *element_name,
char *element_data
);
/**
@brief Clean up a vnode label
@param label The label to be cleaned for re-use
Clean up a vnode label. Darwin (Tiger, 8.x) allocates vnodes on demand, but
typically never frees them. Before vnodes are placed back on free lists for
re-use, policies can cleanup or overwrite any information present in the label.
*/typedefvoidmpo_vnode_label_recycle_t(
struct label *label
);
/**
@brief Write a label to a extended attribute
@param cred Subject credential
@param vp The vnode for which the label is being stored
@param vlabel Label associated with vp
@param intlabel The new label to store
Store a new label in the extended attribute corresponding to the
supplied vnode. The policy has already authorized the operation;
this call must be implemented in order to perform the actual
operation.
@return In the event of an error, an appropriate value for errno
should be returned, otherwise return 0 upon success.
@warning XXX After examining the extended attribute implementation on
Apple's future release, this entry point may be changed.
*/typedefintmpo_vnode_label_store_t(
kauth_cred_t cred,
struct vnode *vp,
struct label *vlabel,
struct label *intlabel
);
/**
@brief Update vnode label from extended attributes
@param mp File system mount point
@param mntlabel Mount point label
@param vp Vnode to label
@param vlabel Label associated with vp
@param name Name of the xattr
@see mpo_vnode_check_setextattr_t
When an extended attribute is updated via the Vendor attribute management
functions, the MAC vnode label might also require an update.
Policies should first determine if 'name' matches their xattr label
name. If it does, the kernel is has either replaced or removed the
named extended attribute that was previously associated with the
vnode. Normally labels should only be modified via MAC Framework label
management calls, but sometimes the user space components will directly
modify extended attributes. For example, 'cp', 'tar', etc. manage
extended attributes in userspace, not the kernel.
This entry point is called after the label update has occurred, so
it cannot return a failure. However, the operation is preceded by
the mpo_vnode_check_setextattr() access control check.
If the vnode label needs to be updated the policy should return
a non-zero value. The vnode label will be marked for re-association
by the framework.
*/typedefintmpo_vnode_label_update_extattr_t(
struct mount *mp,
struct label *mntlabel,
struct vnode *vp,
struct label *vlabel,
constchar *name
);
/**
@brief Update a vnode label
@param cred Subject credential
@param vp The vnode to relabel
@param vnodelabel Existing vnode label
@param label New label to replace existing label
@see mpo_vnode_check_label_update_t
The subject identified by the credential has previously requested
and was authorized to relabel the vnode; this entry point allows
policies to perform the actual relabel operation. Policies should
update vnodelabel using the label stored in the label parameter.
*/typedefvoidmpo_vnode_label_update_t(
kauth_cred_t cred,
struct vnode *vp,
struct label *vnodelabel,
struct label *label
);
/**
@brief Create a new vnode, backed by extended attributes
@param cred User credential for the creating process
@param mp File system mount point
@param mntlabel File system mount point label
@param dvp Parent directory vnode
@param dlabel Parent directory vnode label
@param vp Newly created vnode
@param vlabel Label to associate with the new vnode
@param cnp Component name for vp
Write out the label for the newly created vnode, most likely storing
the results in a file system extended attribute. Most policies will
derive the new vnode label using information from a combination
of the subject (user) credential, the file system label, the parent
directory label, and potentially the path name component.
@return If the operation succeeds, store the new label in vlabel and
return 0. Otherwise, return an appropriate errno value.
*/typedefintmpo_vnode_notify_create_t(
kauth_cred_t cred,
struct mount *mp,
struct label *mntlabel,
struct vnode *dvp,
struct label *dlabel,
struct vnode *vp,
struct label *vlabel,
struct componentname *cnp
);
/**
@brief Inform MAC policies that a vnode has been renamed
@param cred User credential for the renaming process
@param vp Vnode that's being renamed
@param label Policy label for vp
@param dvp Parent directory for the destination
@param dlabel Policy label for dvp
@param cnp Component name for the destination
Inform MAC policies that a vnode has been renamed.
*/typedefvoidmpo_vnode_notify_rename_t(
kauth_cred_t cred,
struct vnode *vp,
struct label *label,
struct vnode *dvp,
struct label *dlabel,
struct componentname *cnp
);
/*
* Placeholder for future events that may need mac hooks.
*/typedefvoidmpo_reserved_hook_t(void);
/*!
\struct mac_policy_ops
*/
#defineMAC_POLICY_OPS_VERSION 11 /* inc when new reserved slots are taken */struct mac_policy_ops {
mpo_audit_check_postselect_t *mpo_audit_check_postselect;
mpo_audit_check_preselect_t *mpo_audit_check_preselect;
mpo_bpfdesc_label_associate_t *mpo_bpfdesc_label_associate;
mpo_bpfdesc_label_destroy_t *mpo_bpfdesc_label_destroy;
mpo_bpfdesc_label_init_t *mpo_bpfdesc_label_init;
mpo_bpfdesc_check_receive_t *mpo_bpfdesc_check_receive;
mpo_cred_check_label_update_execve_t *mpo_cred_check_label_update_execve;
mpo_cred_check_label_update_t *mpo_cred_check_label_update;
mpo_cred_check_visible_t *mpo_cred_check_visible;
mpo_cred_label_associate_fork_t *mpo_cred_label_associate_fork;
mpo_cred_label_associate_kernel_t *mpo_cred_label_associate_kernel;
mpo_cred_label_associate_t *mpo_cred_label_associate;
mpo_cred_label_associate_user_t *mpo_cred_label_associate_user;
mpo_cred_label_destroy_t *mpo_cred_label_destroy;
mpo_cred_label_externalize_audit_t *mpo_cred_label_externalize_audit;
mpo_cred_label_externalize_t *mpo_cred_label_externalize;
mpo_cred_label_init_t *mpo_cred_label_init;
mpo_cred_label_internalize_t *mpo_cred_label_internalize;
mpo_cred_label_update_execve_t *mpo_cred_label_update_execve;
mpo_cred_label_update_t *mpo_cred_label_update;
mpo_devfs_label_associate_device_t *mpo_devfs_label_associate_device;
mpo_devfs_label_associate_directory_t *mpo_devfs_label_associate_directory;
mpo_devfs_label_copy_t *mpo_devfs_label_copy;
mpo_devfs_label_destroy_t *mpo_devfs_label_destroy;
mpo_devfs_label_init_t *mpo_devfs_label_init;
mpo_devfs_label_update_t *mpo_devfs_label_update;
mpo_file_check_change_offset_t *mpo_file_check_change_offset;
mpo_file_check_create_t *mpo_file_check_create;
mpo_file_check_dup_t *mpo_file_check_dup;
mpo_file_check_fcntl_t *mpo_file_check_fcntl;
mpo_file_check_get_offset_t *mpo_file_check_get_offset;
mpo_file_check_get_t *mpo_file_check_get;
mpo_file_check_inherit_t *mpo_file_check_inherit;
mpo_file_check_ioctl_t *mpo_file_check_ioctl;
mpo_file_check_lock_t *mpo_file_check_lock;
mpo_file_check_mmap_downgrade_t *mpo_file_check_mmap_downgrade;
mpo_file_check_mmap_t *mpo_file_check_mmap;
mpo_file_check_receive_t *mpo_file_check_receive;
mpo_file_check_set_t *mpo_file_check_set;
mpo_file_label_init_t *mpo_file_label_init;
mpo_file_label_destroy_t *mpo_file_label_destroy;
mpo_file_label_associate_t *mpo_file_label_associate;
mpo_ifnet_check_label_update_t *mpo_ifnet_check_label_update;
mpo_ifnet_check_transmit_t *mpo_ifnet_check_transmit;
mpo_ifnet_label_associate_t *mpo_ifnet_label_associate;
mpo_ifnet_label_copy_t *mpo_ifnet_label_copy;
mpo_ifnet_label_destroy_t *mpo_ifnet_label_destroy;
mpo_ifnet_label_externalize_t *mpo_ifnet_label_externalize;
mpo_ifnet_label_init_t *mpo_ifnet_label_init;
mpo_ifnet_label_internalize_t *mpo_ifnet_label_internalize;
mpo_ifnet_label_update_t *mpo_ifnet_label_update;
mpo_ifnet_label_recycle_t *mpo_ifnet_label_recycle;
mpo_inpcb_check_deliver_t *mpo_inpcb_check_deliver;
mpo_inpcb_label_associate_t *mpo_inpcb_label_associate;
mpo_inpcb_label_destroy_t *mpo_inpcb_label_destroy;
mpo_inpcb_label_init_t *mpo_inpcb_label_init;
mpo_inpcb_label_recycle_t *mpo_inpcb_label_recycle;
mpo_inpcb_label_update_t *mpo_inpcb_label_update;
mpo_iokit_check_device_t *mpo_iokit_check_device;
mpo_ipq_label_associate_t *mpo_ipq_label_associate;
mpo_ipq_label_compare_t *mpo_ipq_label_compare;
mpo_ipq_label_destroy_t *mpo_ipq_label_destroy;
mpo_ipq_label_init_t *mpo_ipq_label_init;
mpo_ipq_label_update_t *mpo_ipq_label_update;
mpo_lctx_check_label_update_t *mpo_lctx_check_label_update;
mpo_lctx_label_destroy_t *mpo_lctx_label_destroy;
mpo_lctx_label_externalize_t *mpo_lctx_label_externalize;
mpo_lctx_label_init_t *mpo_lctx_label_init;
mpo_lctx_label_internalize_t *mpo_lctx_label_internalize;
mpo_lctx_label_update_t *mpo_lctx_label_update;
mpo_lctx_notify_create_t *mpo_lctx_notify_create;
mpo_lctx_notify_join_t *mpo_lctx_notify_join;
mpo_lctx_notify_leave_t *mpo_lctx_notify_leave;
mpo_mbuf_label_associate_bpfdesc_t *mpo_mbuf_label_associate_bpfdesc;
mpo_mbuf_label_associate_ifnet_t *mpo_mbuf_label_associate_ifnet;
mpo_mbuf_label_associate_inpcb_t *mpo_mbuf_label_associate_inpcb;
mpo_mbuf_label_associate_ipq_t *mpo_mbuf_label_associate_ipq;
mpo_mbuf_label_associate_linklayer_t *mpo_mbuf_label_associate_linklayer;
mpo_mbuf_label_associate_multicast_encap_t *mpo_mbuf_label_associate_multicast_encap;
mpo_mbuf_label_associate_netlayer_t *mpo_mbuf_label_associate_netlayer;
mpo_mbuf_label_associate_socket_t *mpo_mbuf_label_associate_socket;
mpo_mbuf_label_copy_t *mpo_mbuf_label_copy;
mpo_mbuf_label_destroy_t *mpo_mbuf_label_destroy;
mpo_mbuf_label_init_t *mpo_mbuf_label_init;
mpo_mount_check_fsctl_t *mpo_mount_check_fsctl;
mpo_mount_check_getattr_t *mpo_mount_check_getattr;
mpo_mount_check_label_update_t *mpo_mount_check_label_update;
mpo_mount_check_mount_t *mpo_mount_check_mount;
mpo_mount_check_remount_t *mpo_mount_check_remount;
mpo_mount_check_setattr_t *mpo_mount_check_setattr;
mpo_mount_check_stat_t *mpo_mount_check_stat;
mpo_mount_check_umount_t *mpo_mount_check_umount;
mpo_mount_label_associate_t *mpo_mount_label_associate;
mpo_mount_label_destroy_t *mpo_mount_label_destroy;
mpo_mount_label_externalize_t *mpo_mount_label_externalize;
mpo_mount_label_init_t *mpo_mount_label_init;
mpo_mount_label_internalize_t *mpo_mount_label_internalize;
mpo_netinet_fragment_t *mpo_netinet_fragment;
mpo_netinet_icmp_reply_t *mpo_netinet_icmp_reply;
mpo_netinet_tcp_reply_t *mpo_netinet_tcp_reply;
mpo_pipe_check_ioctl_t *mpo_pipe_check_ioctl;
mpo_pipe_check_kqfilter_t *mpo_pipe_check_kqfilter;
mpo_pipe_check_label_update_t *mpo_pipe_check_label_update;
mpo_pipe_check_read_t *mpo_pipe_check_read;
mpo_pipe_check_select_t *mpo_pipe_check_select;
mpo_pipe_check_stat_t *mpo_pipe_check_stat;
mpo_pipe_check_write_t *mpo_pipe_check_write;
mpo_pipe_label_associate_t *mpo_pipe_label_associate;
mpo_pipe_label_copy_t *mpo_pipe_label_copy;
mpo_pipe_label_destroy_t *mpo_pipe_label_destroy;
mpo_pipe_label_externalize_t *mpo_pipe_label_externalize;
mpo_pipe_label_init_t *mpo_pipe_label_init;
mpo_pipe_label_internalize_t *mpo_pipe_label_internalize;
mpo_pipe_label_update_t *mpo_pipe_label_update;
mpo_policy_destroy_t *mpo_policy_destroy;
mpo_policy_init_t *mpo_policy_init;
mpo_policy_initbsd_t *mpo_policy_initbsd;
mpo_policy_syscall_t *mpo_policy_syscall;
mpo_port_check_copy_send_t *mpo_port_check_copy_send;
mpo_port_check_hold_receive_t *mpo_port_check_hold_receive;
mpo_port_check_hold_send_once_t *mpo_port_check_hold_send_once;
mpo_port_check_hold_send_t *mpo_port_check_hold_send;
mpo_port_check_label_update_t *mpo_port_check_label_update;
mpo_port_check_make_send_once_t *mpo_port_check_make_send_once;
mpo_port_check_make_send_t *mpo_port_check_make_send;
mpo_port_check_method_t *mpo_port_check_method;
mpo_port_check_move_receive_t *mpo_port_check_move_receive;
mpo_port_check_move_send_once_t *mpo_port_check_move_send_once;
mpo_port_check_move_send_t *mpo_port_check_move_send;
mpo_port_check_receive_t *mpo_port_check_receive;
mpo_port_check_send_t *mpo_port_check_send;
mpo_port_check_service_t *mpo_port_check_service;
mpo_port_label_associate_kernel_t *mpo_port_label_associate_kernel;
mpo_port_label_associate_t *mpo_port_label_associate;
mpo_port_label_compute_t *mpo_port_label_compute;
mpo_port_label_copy_t *mpo_port_label_copy;
mpo_port_label_destroy_t *mpo_port_label_destroy;
mpo_port_label_init_t *mpo_port_label_init;
mpo_port_label_update_cred_t *mpo_port_label_update_cred;
mpo_port_label_update_kobject_t *mpo_port_label_update_kobject;
mpo_posixsem_check_create_t *mpo_posixsem_check_create;
mpo_posixsem_check_open_t *mpo_posixsem_check_open;
mpo_posixsem_check_post_t *mpo_posixsem_check_post;
mpo_posixsem_check_unlink_t *mpo_posixsem_check_unlink;
mpo_posixsem_check_wait_t *mpo_posixsem_check_wait;
mpo_posixsem_label_associate_t *mpo_posixsem_label_associate;
mpo_posixsem_label_destroy_t *mpo_posixsem_label_destroy;
mpo_posixsem_label_init_t *mpo_posixsem_label_init;
mpo_posixshm_check_create_t *mpo_posixshm_check_create;
mpo_posixshm_check_mmap_t *mpo_posixshm_check_mmap;
mpo_posixshm_check_open_t *mpo_posixshm_check_open;
mpo_posixshm_check_stat_t *mpo_posixshm_check_stat;
mpo_posixshm_check_truncate_t *mpo_posixshm_check_truncate;
mpo_posixshm_check_unlink_t *mpo_posixshm_check_unlink;
mpo_posixshm_label_associate_t *mpo_posixshm_label_associate;
mpo_posixshm_label_destroy_t *mpo_posixshm_label_destroy;
mpo_posixshm_label_init_t *mpo_posixshm_label_init;
mpo_proc_check_debug_t *mpo_proc_check_debug;
mpo_proc_check_fork_t *mpo_proc_check_fork;
mpo_proc_check_get_task_name_t *mpo_proc_check_get_task_name;
mpo_proc_check_get_task_t *mpo_proc_check_get_task;
mpo_proc_check_getaudit_t *mpo_proc_check_getaudit;
mpo_proc_check_getauid_t *mpo_proc_check_getauid;
mpo_proc_check_getlcid_t *mpo_proc_check_getlcid;
mpo_proc_check_mprotect_t *mpo_proc_check_mprotect;
mpo_proc_check_sched_t *mpo_proc_check_sched;
mpo_proc_check_setaudit_t *mpo_proc_check_setaudit;
mpo_proc_check_setauid_t *mpo_proc_check_setauid;
mpo_proc_check_setlcid_t *mpo_proc_check_setlcid;
mpo_proc_check_signal_t *mpo_proc_check_signal;
mpo_proc_check_wait_t *mpo_proc_check_wait;
mpo_proc_label_destroy_t *mpo_proc_label_destroy;
mpo_proc_label_init_t *mpo_proc_label_init;
mpo_socket_check_accept_t *mpo_socket_check_accept;
mpo_socket_check_accepted_t *mpo_socket_check_accepted;
mpo_socket_check_bind_t *mpo_socket_check_bind;
mpo_socket_check_connect_t *mpo_socket_check_connect;
mpo_socket_check_create_t *mpo_socket_check_create;
mpo_socket_check_deliver_t *mpo_socket_check_deliver;
mpo_socket_check_kqfilter_t *mpo_socket_check_kqfilter;
mpo_socket_check_label_update_t *mpo_socket_check_label_update;
mpo_socket_check_listen_t *mpo_socket_check_listen;
mpo_socket_check_receive_t *mpo_socket_check_receive;
mpo_socket_check_received_t *mpo_socket_check_received;
mpo_socket_check_select_t *mpo_socket_check_select;
mpo_socket_check_send_t *mpo_socket_check_send;
mpo_socket_check_stat_t *mpo_socket_check_stat;
mpo_socket_check_setsockopt_t *mpo_socket_check_setsockopt;
mpo_socket_check_getsockopt_t *mpo_socket_check_getsockopt;
mpo_socket_label_associate_accept_t *mpo_socket_label_associate_accept;
mpo_socket_label_associate_t *mpo_socket_label_associate;
mpo_socket_label_copy_t *mpo_socket_label_copy;
mpo_socket_label_destroy_t *mpo_socket_label_destroy;
mpo_socket_label_externalize_t *mpo_socket_label_externalize;
mpo_socket_label_init_t *mpo_socket_label_init;
mpo_socket_label_internalize_t *mpo_socket_label_internalize;
mpo_socket_label_update_t *mpo_socket_label_update;
mpo_socketpeer_label_associate_mbuf_t *mpo_socketpeer_label_associate_mbuf;
mpo_socketpeer_label_associate_socket_t *mpo_socketpeer_label_associate_socket;
mpo_socketpeer_label_destroy_t *mpo_socketpeer_label_destroy;
mpo_socketpeer_label_externalize_t *mpo_socketpeer_label_externalize;
mpo_socketpeer_label_init_t *mpo_socketpeer_label_init;
mpo_system_check_acct_t *mpo_system_check_acct;
mpo_system_check_audit_t *mpo_system_check_audit;
mpo_system_check_auditctl_t *mpo_system_check_auditctl;
mpo_system_check_auditon_t *mpo_system_check_auditon;
mpo_system_check_host_priv_t *mpo_system_check_host_priv;
mpo_system_check_nfsd_t *mpo_system_check_nfsd;
mpo_system_check_reboot_t *mpo_system_check_reboot;
mpo_system_check_settime_t *mpo_system_check_settime;
mpo_system_check_swapoff_t *mpo_system_check_swapoff;
mpo_system_check_swapon_t *mpo_system_check_swapon;
mpo_system_check_sysctl_t *mpo_system_check_sysctl;
mpo_sysvmsg_label_associate_t *mpo_sysvmsg_label_associate;
mpo_sysvmsg_label_destroy_t *mpo_sysvmsg_label_destroy;
mpo_sysvmsg_label_init_t *mpo_sysvmsg_label_init;
mpo_sysvmsg_label_recycle_t *mpo_sysvmsg_label_recycle;
mpo_sysvmsq_check_enqueue_t *mpo_sysvmsq_check_enqueue;
mpo_sysvmsq_check_msgrcv_t *mpo_sysvmsq_check_msgrcv;
mpo_sysvmsq_check_msgrmid_t *mpo_sysvmsq_check_msgrmid;
mpo_sysvmsq_check_msqctl_t *mpo_sysvmsq_check_msqctl;
mpo_sysvmsq_check_msqget_t *mpo_sysvmsq_check_msqget;
mpo_sysvmsq_check_msqrcv_t *mpo_sysvmsq_check_msqrcv;
mpo_sysvmsq_check_msqsnd_t *mpo_sysvmsq_check_msqsnd;
mpo_sysvmsq_label_associate_t *mpo_sysvmsq_label_associate;
mpo_sysvmsq_label_destroy_t *mpo_sysvmsq_label_destroy;
mpo_sysvmsq_label_init_t *mpo_sysvmsq_label_init;
mpo_sysvmsq_label_recycle_t *mpo_sysvmsq_label_recycle;
mpo_sysvsem_check_semctl_t *mpo_sysvsem_check_semctl;
mpo_sysvsem_check_semget_t *mpo_sysvsem_check_semget;
mpo_sysvsem_check_semop_t *mpo_sysvsem_check_semop;
mpo_sysvsem_label_associate_t *mpo_sysvsem_label_associate;
mpo_sysvsem_label_destroy_t *mpo_sysvsem_label_destroy;
mpo_sysvsem_label_init_t *mpo_sysvsem_label_init;
mpo_sysvsem_label_recycle_t *mpo_sysvsem_label_recycle;
mpo_sysvshm_check_shmat_t *mpo_sysvshm_check_shmat;
mpo_sysvshm_check_shmctl_t *mpo_sysvshm_check_shmctl;
mpo_sysvshm_check_shmdt_t *mpo_sysvshm_check_shmdt;
mpo_sysvshm_check_shmget_t *mpo_sysvshm_check_shmget;
mpo_sysvshm_label_associate_t *mpo_sysvshm_label_associate;
mpo_sysvshm_label_destroy_t *mpo_sysvshm_label_destroy;
mpo_sysvshm_label_init_t *mpo_sysvshm_label_init;
mpo_sysvshm_label_recycle_t *mpo_sysvshm_label_recycle;
mpo_task_label_associate_kernel_t *mpo_task_label_associate_kernel;
mpo_task_label_associate_t *mpo_task_label_associate;
mpo_task_label_copy_t *mpo_task_label_copy;
mpo_task_label_destroy_t *mpo_task_label_destroy;
mpo_task_label_externalize_t *mpo_task_label_externalize;
mpo_task_label_init_t *mpo_task_label_init;
mpo_task_label_internalize_t *mpo_task_label_internalize;
mpo_task_label_update_t *mpo_task_label_update;
mpo_iokit_check_hid_control_t *mpo_iokit_check_hid_control;
mpo_vnode_check_access_t *mpo_vnode_check_access;
mpo_vnode_check_chdir_t *mpo_vnode_check_chdir;
mpo_vnode_check_chroot_t *mpo_vnode_check_chroot;
mpo_vnode_check_create_t *mpo_vnode_check_create;
mpo_vnode_check_deleteextattr_t *mpo_vnode_check_deleteextattr;
mpo_vnode_check_exchangedata_t *mpo_vnode_check_exchangedata;
mpo_vnode_check_exec_t *mpo_vnode_check_exec;
mpo_vnode_check_getattrlist_t *mpo_vnode_check_getattrlist;
mpo_vnode_check_getextattr_t *mpo_vnode_check_getextattr;
mpo_vnode_check_ioctl_t *mpo_vnode_check_ioctl;
mpo_vnode_check_kqfilter_t *mpo_vnode_check_kqfilter;
mpo_vnode_check_label_update_t *mpo_vnode_check_label_update;
mpo_vnode_check_link_t *mpo_vnode_check_link;
mpo_vnode_check_listextattr_t *mpo_vnode_check_listextattr;
mpo_vnode_check_lookup_t *mpo_vnode_check_lookup;
mpo_vnode_check_open_t *mpo_vnode_check_open;
mpo_vnode_check_read_t *mpo_vnode_check_read;
mpo_vnode_check_readdir_t *mpo_vnode_check_readdir;
mpo_vnode_check_readlink_t *mpo_vnode_check_readlink;
mpo_vnode_check_rename_from_t *mpo_vnode_check_rename_from;
mpo_vnode_check_rename_to_t *mpo_vnode_check_rename_to;
mpo_vnode_check_revoke_t *mpo_vnode_check_revoke;
mpo_vnode_check_select_t *mpo_vnode_check_select;
mpo_vnode_check_setattrlist_t *mpo_vnode_check_setattrlist;
mpo_vnode_check_setextattr_t *mpo_vnode_check_setextattr;
mpo_vnode_check_setflags_t *mpo_vnode_check_setflags;
mpo_vnode_check_setmode_t *mpo_vnode_check_setmode;
mpo_vnode_check_setowner_t *mpo_vnode_check_setowner;
mpo_vnode_check_setutimes_t *mpo_vnode_check_setutimes;
mpo_vnode_check_stat_t *mpo_vnode_check_stat;
mpo_vnode_check_truncate_t *mpo_vnode_check_truncate;
mpo_vnode_check_unlink_t *mpo_vnode_check_unlink;
mpo_vnode_check_write_t *mpo_vnode_check_write;
mpo_vnode_label_associate_devfs_t *mpo_vnode_label_associate_devfs;
mpo_vnode_label_associate_extattr_t *mpo_vnode_label_associate_extattr;
mpo_vnode_label_associate_file_t *mpo_vnode_label_associate_file;
mpo_vnode_label_associate_pipe_t *mpo_vnode_label_associate_pipe;
mpo_vnode_label_associate_posixsem_t *mpo_vnode_label_associate_posixsem;
mpo_vnode_label_associate_posixshm_t *mpo_vnode_label_associate_posixshm;
mpo_vnode_label_associate_singlelabel_t *mpo_vnode_label_associate_singlelabel;
mpo_vnode_label_associate_socket_t *mpo_vnode_label_associate_socket;
mpo_vnode_label_copy_t *mpo_vnode_label_copy;
mpo_vnode_label_destroy_t *mpo_vnode_label_destroy;
mpo_vnode_label_externalize_audit_t *mpo_vnode_label_externalize_audit;
mpo_vnode_label_externalize_t *mpo_vnode_label_externalize;
mpo_vnode_label_init_t *mpo_vnode_label_init;
mpo_vnode_label_internalize_t *mpo_vnode_label_internalize;
mpo_vnode_label_recycle_t *mpo_vnode_label_recycle;
mpo_vnode_label_store_t *mpo_vnode_label_store;
mpo_vnode_label_update_extattr_t *mpo_vnode_label_update_extattr;
mpo_vnode_label_update_t *mpo_vnode_label_update;
mpo_vnode_notify_create_t *mpo_vnode_notify_create;
mpo_vnode_check_signature_t *mpo_vnode_check_signature;
mpo_vnode_check_uipc_bind_t *mpo_vnode_check_uipc_bind;
mpo_vnode_check_uipc_connect_t *mpo_vnode_check_uipc_connect;
mac_proc_check_run_cs_invalid_t *mpo_proc_check_run_cs_invalid;
mpo_proc_check_suspend_resume_t *mpo_proc_check_suspend_resume;
mpo_reserved_hook_t *mpo_reserved12;
mpo_iokit_check_set_properties_t *mpo_iokit_check_set_properties;
mpo_system_check_chud_t *mpo_system_check_chud;
mpo_vnode_check_searchfs_t *mpo_vnode_check_searchfs;
mpo_priv_check_t *mpo_priv_check;
mpo_priv_grant_t *mpo_priv_grant;
mpo_proc_check_map_anon_t *mpo_proc_check_map_anon;
mpo_vnode_check_fsgetpath_t *mpo_vnode_check_fsgetpath;
mpo_iokit_check_open_t *mpo_iokit_check_open;
mpo_vnode_notify_rename_t *mpo_vnode_notify_rename;
mpo_reserved_hook_t *mpo_reserved14;
mpo_reserved_hook_t *mpo_reserved15;
mpo_reserved_hook_t *mpo_reserved16;
mpo_reserved_hook_t *mpo_reserved17;
mpo_reserved_hook_t *mpo_reserved18;
mpo_reserved_hook_t *mpo_reserved19;
mpo_reserved_hook_t *mpo_reserved20;
mpo_reserved_hook_t *mpo_reserved21;
mpo_reserved_hook_t *mpo_reserved22;
mpo_reserved_hook_t *mpo_reserved23;
mpo_reserved_hook_t *mpo_reserved24;
mpo_reserved_hook_t *mpo_reserved25;
mpo_reserved_hook_t *mpo_reserved26;
mpo_reserved_hook_t *mpo_reserved27;
mpo_reserved_hook_t *mpo_reserved28;
mpo_reserved_hook_t *mpo_reserved29;
};
/**
@brief MAC policy handle type
The MAC handle is used to uniquely identify a loaded policy within
the MAC Framework.
A variable of this type is set by mac_policy_register().
*/typedefunsignedint mac_policy_handle_t;
#definempc_t struct mac_policy_conf *
/**
@brief Mac policy configuration
This structure specifies the configuration information for a
MAC policy module. A policy module developer must supply
a short unique policy name, a more descriptive full name, a list of label
namespaces and count, a pointer to the registered enty point operations,
any load time flags, and optionally, a pointer to a label slot identifier.
The Framework will update the runtime flags (mpc_runtime_flags) to
indicate that the module has been registered.
If the label slot identifier (mpc_field_off) is NULL, the Framework
will not provide label storage for the policy. Otherwise, the
Framework will store the label location (slot) in this field.
The mpc_list field is used by the Framework and should not be
modified by policies.
*//* XXX - reorder these for better aligment on 64bit platforms */struct mac_policy_conf {
constchar *mpc_name; /** policy name */constchar *mpc_fullname; /** full name */constchar **mpc_labelnames; /** managed label namespaces */unsignedint mpc_labelname_count; /** number of managed label namespaces */struct mac_policy_ops *mpc_ops; /** operation vector */int mpc_loadtime_flags; /** load time flags */int *mpc_field_off; /** label slot */int mpc_runtime_flags; /** run time flags */
mpc_t mpc_list; /** List reference */void *mpc_data; /** module data */
};
/**
@brief MAC policy module registration routine
This function is called to register a policy with the
MAC framework. A policy module will typically call this from the
Darwin KEXT registration routine.
*/int mac_policy_register(struct mac_policy_conf *mpc,
mac_policy_handle_t *handlep, void *xd);
/**
@brief MAC policy module de-registration routine
This function is called to de-register a policy with theD
MAC framework. A policy module will typically call this from the
Darwin KEXT de-registration routine.
*/int mac_policy_unregister(mac_policy_handle_t handle);
/*
* Framework entry points for the policies to add audit data.
*/int mac_audit_text(char *text, mac_policy_handle_t handle);
/*
* Calls to assist with use of Apple XATTRs within policy modules.
*/int mac_vnop_setxattr(struct vnode *, constchar *, char *, size_t);
int mac_vnop_getxattr(struct vnode *, constchar *, char *, size_t,
size_t *);
int mac_vnop_removexattr(struct vnode *, constchar *);
/*
* Arbitrary limit on how much data will be logged by the audit
* entry points above.
*/
#defineMAC_AUDIT_DATA_LIMIT 1024
/*
* Values returned by mac_audit_{pre,post}select. To combine the responses
* of the security policies into a single decision,
* mac_audit_{pre,post}select() choose the greatest value returned.
*/
#defineMAC_AUDIT_DEFAULT 0 /* use system behavior */
#defineMAC_AUDIT_NO 1 /* force not auditing this event */
#defineMAC_AUDIT_YES 2 /* force auditing this event */// \defgroup mpc_loadtime_flags Flags for the mpc_loadtime_flags field
/**
@name Flags for the mpc_loadtime_flags field
@see mac_policy_conf
This is the complete list of flags that are supported by the
mpc_loadtime_flags field of the mac_policy_conf structure. These
flags specify the load time behavior of MAC Framework policy
modules.
*//*@{*//**
@brief Flag to indicate registration preference
This flag indicates that the policy module must be loaded and
initialized early in the boot process. If the flag is specified,
attempts to register the module following boot will be rejected. The
flag may be used by policies that require pervasive labeling of all
system objects, and cannot handle objects that have not been
properly initialized by the policy.
*/
#defineMPC_LOADTIME_FLAG_NOTLATE 0x00000001
/**
@brief Flag to indicate unload preference
This flag indicates that the policy module may be unloaded. If this
flag is not set, then the policy framework will reject requests to
unload the module. This flag might be used by modules that allocate
label state and are unable to free that state at runtime, or for
modules that simply do not want to permit unload operations.
*/
#defineMPC_LOADTIME_FLAG_UNLOADOK 0x00000002
/**
@brief Unsupported
XXX This flag is not yet supported.
*/
#defineMPC_LOADTIME_FLAG_LABELMBUFS 0x00000004
/**
@brief Flag to indicate a base policy
This flag indicates that the policy module is a base policy. Only
one module can declare itself as base, otherwise the boot process
will be halted.
*/
#defineMPC_LOADTIME_BASE_POLICY 0x00000008
/*@}*//**
@brief Policy registration flag
@see mac_policy_conf
This flag indicates that the policy module has been successfully
registered with the TrustedBSD MAC Framework. The Framework will
set this flag in the mpc_runtime_flags field of the policy's
mac_policy_conf structure after registering the policy.
*/
#defineMPC_RUNTIME_FLAG_REGISTERED 0x00000001
/*
* Depends on POLICY_VER
*/
#ifndefPOLICY_VER
#definePOLICY_VER 1.0
#endif
#defineMAC_POLICY_SET(handle, mpops, mpname, mpfullname, lnames, lcount, slot, lflags, rflags) \
staticstruct mac_policy_conf mpname##_mac_policy_conf = { \
.mpc_name = #mpname, \
.mpc_fullname = mpfullname, \
.mpc_labelnames = lnames, \
.mpc_labelname_count = lcount, \
.mpc_ops = mpops, \
.mpc_loadtime_flags = lflags, \
.mpc_field_off = slot, \
.mpc_runtime_flags = rflags \
}; \
\
static kern_return_t \
kmod_start(kmod_info_t *ki, void *xd) \
{ \
return mac_policy_register(&mpname##_mac_policy_conf, \
&handle, xd); \
} \
\
static kern_return_t \
kmod_stop(kmod_info_t *ki, void *xd) \
{ \
return mac_policy_unregister(handle); \
} \
\
extern kern_return_t _start(kmod_info_t *ki, void *data); \
extern kern_return_t _stop(kmod_info_t *ki, void *data); \
\
KMOD_EXPLICIT_DECL(security.mpname, POLICY_VER, _start, _stop) \
kmod_start_func_t *_realmain = kmod_start; \
kmod_stop_func_t *_antimain = kmod_stop; \
int _kext_apple_cc = __APPLE_CC__
#defineLABEL_TO_SLOT(l, s) (l)->l_perpolicy[s]
/*
* Policy interface to map a struct label pointer to per-policy data.
* Typically, policies wrap this in their own accessor macro that casts an
* intptr_t to a policy-specific data type.
*/
intptr_t mac_label_get(struct label *l, int slot);
voidmac_label_set(struct label *l, int slot, intptr_t v);
#definemac_get_mpc(h) (mac_policy_list.entries[h].mpc)
/**
@name Flags for MAC allocator interfaces
These flags are passed to the Darwin kernel allocator routines to
indicate whether the allocation is permitted to block or not.
Caution should be taken; some operations are not permitted to sleep,
and some types of locks cannot be held when sleeping.
*//*@{*//**
@brief Allocation operations may block
If memory is not immediately available, the allocation routine
will block (typically sleeping) until memory is available.
@warning Inappropriate use of this flag may cause kernel panics.
*/
#defineMAC_WAITOK 0
/**
@brief Allocation operations may not block
Rather than blocking, the allocator may return an error if memory
is not immediately available. This type of allocation will not
sleep, preserving locking semantics.
*/
#defineMAC_NOWAIT 1
/*@}*/
#endif/* !_SECURITY_MAC_POLICY_H_ */